package io.trino.plugin.base.security;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import io.trino.plugin.base.security.FileBasedSystemAccessControl;
import io.trino.spi.QueryId;
import io.trino.spi.connector.CatalogSchemaName;
import io.trino.spi.connector.CatalogSchemaRoutineName;
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.connector.SchemaRoutineName;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.function.SchemaFunctionName;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.Identity;
import io.trino.spi.security.PrincipalType;
import io.trino.spi.security.Privilege;
import io.trino.spi.security.SystemAccessControl;
import io.trino.spi.security.SystemSecurityContext;
import io.trino.spi.security.TrinoPrincipal;
import io.trino.spi.security.ViewExpression;
import io.trino.spi.testing.InterfaceTestUtils;
import io.trino.spi.type.VarcharType;
import java.io.File;
import java.net.URL;
import java.time.Instant;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.assertj.core.api.AbstractStringAssert;
import org.assertj.core.api.Assertions;
import org.assertj.core.api.OptionalAssert;
import org.assertj.core.api.ThrowableAssert;
import org.assertj.core.util.Files;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/trino/plugin/base/security/BaseFileBasedSystemAccessControlTest.class */
public abstract class BaseFileBasedSystemAccessControlTest {
    private static final Identity alice = Identity.forUser("alice").withGroups(ImmutableSet.of("staff")).build();
    private static final Identity kerberosValidAlice = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("alice/example.com@EXAMPLE.COM")).build();
    private static final Identity kerberosValidNonAsciiUser = Identity.forUser("ƔƔƔ").withPrincipal(new KerberosPrincipal("ƔƔƔ/example.com@EXAMPLE.COM")).build();
    private static final Identity kerberosInvalidAlice = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("mallory/example.com@EXAMPLE.COM")).build();
    private static final Identity kerberosValidShare = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("valid/example.com@EXAMPLE.COM")).build();
    private static final Identity kerberosInValidShare = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("invalid/example.com@EXAMPLE.COM")).build();
    private static final Identity validSpecialRegexWildDot = Identity.forUser(".*").withPrincipal(new KerberosPrincipal("special/.*@EXAMPLE.COM")).build();
    private static final Identity validSpecialRegexEndQuote = Identity.forUser("\\E").withPrincipal(new KerberosPrincipal("special/\\E@EXAMPLE.COM")).build();
    private static final Identity invalidSpecialRegex = Identity.forUser("alice").withPrincipal(new KerberosPrincipal("special/.*@EXAMPLE.COM")).build();
    private static final Identity bob = Identity.forUser("bob").withGroups(ImmutableSet.of("staff")).build();
    private static final Identity admin = Identity.forUser("alberto").withEnabledRoles(ImmutableSet.of("admin")).withGroups(ImmutableSet.of("staff")).build();
    private static final Identity nonAsciiUser = Identity.ofUser("ƔƔƔ");
    private static final CatalogSchemaTableName aliceView = new CatalogSchemaTableName("alice-catalog", "schema", "view");
    private static final QueryId queryId = new QueryId("test_query");
    private static final Instant queryStart = Instant.now();
    private static final Identity charlie = Identity.forUser("charlie").withGroups(ImmutableSet.of("guests")).build();
    private static final Identity dave = Identity.forUser("dave").withGroups(ImmutableSet.of("contractors")).build();
    private static final Identity joe = Identity.ofUser("joe");
    private static final Identity any = Identity.ofUser("any");
    private static final Identity anyone = Identity.ofUser("anyone");
    private static final Identity unknown = Identity.ofUser("some-unknown-user-id");
    private static final SystemSecurityContext ADMIN = new SystemSecurityContext(admin, queryId, queryStart);
    private static final SystemSecurityContext BOB = new SystemSecurityContext(bob, queryId, queryStart);
    private static final SystemSecurityContext CHARLIE = new SystemSecurityContext(charlie, queryId, queryStart);
    private static final SystemSecurityContext ALICE = new SystemSecurityContext(alice, queryId, queryStart);
    private static final SystemSecurityContext JOE = new SystemSecurityContext(joe, queryId, queryStart);
    private static final SystemSecurityContext UNKNOWN = new SystemSecurityContext(unknown, queryId, queryStart);
    private static final String SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE = "Cannot show schemas";
    private static final String CREATE_SCHEMA_ACCESS_DENIED_MESSAGE = "Cannot create schema .*";
    private static final String DROP_SCHEMA_ACCESS_DENIED_MESSAGE = "Cannot drop schema .*";
    private static final String RENAME_SCHEMA_ACCESS_DENIED_MESSAGE = "Cannot rename schema from .* to .*";
    private static final String SHOW_CREATE_SCHEMA_ACCESS_DENIED_MESSAGE = "Cannot show create schema for .*";
    private static final String GRANT_SCHEMA_ACCESS_DENIED_MESSAGE = "Cannot grant privilege %s on schema %s%s";
    private static final String DENY_SCHEMA_ACCESS_DENIED_MESSAGE = "Cannot deny privilege %s on schema %s%s";
    private static final String REVOKE_SCHEMA_ACCESS_DENIED_MESSAGE = "Cannot revoke privilege %s on schema %s%s";
    private static final String SHOWN_TABLES_ACCESS_DENIED_MESSAGE = "Cannot show tables of .*";
    private static final String SELECT_TABLE_ACCESS_DENIED_MESSAGE = "Cannot select from table .*";
    private static final String SHOW_COLUMNS_ACCESS_DENIED_MESSAGE = "Cannot show columns of table .*";
    private static final String ADD_COLUMNS_ACCESS_DENIED_MESSAGE = "Cannot add a column to table .*";
    private static final String DROP_COLUMNS_ACCESS_DENIED_MESSAGE = "Cannot drop a column from table .*";
    private static final String RENAME_COLUMNS_ACCESS_DENIED_MESSAGE = "Cannot rename a column in table .*";
    private static final String TABLE_COMMENT_ACCESS_DENIED_MESSAGE = "Cannot comment table to .*";
    private static final String INSERT_TABLE_ACCESS_DENIED_MESSAGE = "Cannot insert into table .*";
    private static final String DELETE_TABLE_ACCESS_DENIED_MESSAGE = "Cannot delete from table .*";
    private static final String TRUNCATE_TABLE_ACCESS_DENIED_MESSAGE = "Cannot truncate table .*";
    private static final String DROP_TABLE_ACCESS_DENIED_MESSAGE = "Cannot drop table .*";
    private static final String CREATE_TABLE_ACCESS_DENIED_MESSAGE = "Cannot show create table for .*";
    private static final String RENAME_TABLE_ACCESS_DENIED_MESSAGE = "Cannot rename table .*";
    private static final String SET_TABLE_PROPERTIES_ACCESS_DENIED_MESSAGE = "Cannot set table properties to .*";
    private static final String CREATE_VIEW_ACCESS_DENIED_MESSAGE = "View owner '.*' cannot create view that selects from .*";
    private static final String CREATE_MATERIALIZED_VIEW_ACCESS_DENIED_MESSAGE = "Cannot create materialized view .*";
    private static final String DROP_MATERIALIZED_VIEW_ACCESS_DENIED_MESSAGE = "Cannot drop materialized view .*";
    private static final String REFRESH_MATERIALIZED_VIEW_ACCESS_DENIED_MESSAGE = "Cannot refresh materialized view .*";
    private static final String SET_MATERIALIZED_VIEW_PROPERTIES_ACCESS_DENIED_MESSAGE = "Cannot set properties of materialized view .*";
    private static final String GRANT_DELETE_PRIVILEGE_ACCESS_DENIED_MESSAGE = "Cannot grant privilege DELETE on table .*";
    private static final String DENY_DELETE_PRIVILEGE_ACCESS_DENIED_MESSAGE = "Cannot deny privilege DELETE on table .*";
    private static final String REVOKE_DELETE_PRIVILEGE_ACCESS_DENIED_MESSAGE = "Cannot revoke privilege DELETE on table .*";
    private static final String SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE = "Cannot show functions of .*";
    private static final String SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE = "Cannot set system session property .*";
    private static final String SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE = "Cannot set catalog session property .*";
    private static final String EXECUTE_FUNCTION_ACCESS_DENIED_MESSAGE = "Cannot execute function .*";
    private static final String GRANT_EXECUTE_FUNCTION_ACCESS_DENIED_MESSAGE = ".* cannot grant .*";
    private static final String EXECUTE_PROCEDURE_ACCESS_DENIED_MESSAGE = "Cannot execute procedure .*";

    protected abstract SystemAccessControl newFileBasedSystemAccessControl(File file, Map<String, String> map);

    @Test
    public void testEverythingImplemented() {
        InterfaceTestUtils.assertAllMethodsOverridden(SystemAccessControl.class, FileBasedSystemAccessControl.class);
    }

    @Test
    public void testRefreshing() throws Exception {
        File newTemporaryFile = Files.newTemporaryFile();
        newTemporaryFile.deleteOnExit();
        com.google.common.io.Files.copy(new File(getResourcePath("file-based-system-catalog.json")), newTemporaryFile);
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl(newTemporaryFile, ImmutableMap.of("security.refresh-period", "1ms"));
        SystemSecurityContext systemSecurityContext = new SystemSecurityContext(alice, queryId, queryStart);
        newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
        newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
        newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
        com.google.common.io.Files.copy(new File(getResourcePath("file-based-system-security-config-file-with-unknown-rules.json")), newTemporaryFile);
        Thread.sleep(2L);
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
        }).hasMessageContaining("Failed to convert JSON tree node");
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
        }).hasMessageContaining("Failed to convert JSON tree node");
        com.google.common.io.Files.copy(new File(getResourcePath("file-based-system-catalog.json")), newTemporaryFile);
        Thread.sleep(2L);
        newFileBasedSystemAccessControl.checkCanCreateView(systemSecurityContext, aliceView);
    }

    @Test
    public void testEmptyFile() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("empty.json");
        newFileBasedSystemAccessControl.checkCanCreateSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"), ImmutableMap.of());
        newFileBasedSystemAccessControl.checkCanDropSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"));
        newFileBasedSystemAccessControl.checkCanRenameSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"), "new_unknown");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
        }, "Cannot set authorization for schema some-catalog.unknown to ROLE some_role");
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(UNKNOWN, new CatalogSchemaName("some-catalog", "unknown"));
        newFileBasedSystemAccessControl.checkCanSelectFromColumns(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), ImmutableSet.of());
        newFileBasedSystemAccessControl.checkCanShowColumns(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
        newFileBasedSystemAccessControl.checkCanInsertIntoTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
        newFileBasedSystemAccessControl.checkCanDeleteFromTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
        newFileBasedSystemAccessControl.checkCanTruncateTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
        newFileBasedSystemAccessControl.checkCanCreateTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), Map.of());
        newFileBasedSystemAccessControl.checkCanDropTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
        newFileBasedSystemAccessControl.checkCanTruncateTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
        newFileBasedSystemAccessControl.checkCanRenameTable(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), new CatalogSchemaTableName("some-catalog", "unknown", "new_unknown"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableAuthorization(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
        }, "Cannot set authorization for table some-catalog.unknown.unknown to ROLE some_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetViewAuthorization(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
        }, "Cannot set authorization for view some-catalog.unknown.unknown to ROLE some_role");
        newFileBasedSystemAccessControl.checkCanCreateMaterializedView(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), Map.of());
        newFileBasedSystemAccessControl.checkCanDropMaterializedView(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
        newFileBasedSystemAccessControl.checkCanRefreshMaterializedView(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetViewAuthorization(UNKNOWN, new CatalogSchemaTableName("some-catalog", "unknown", "unknown"), new TrinoPrincipal(PrincipalType.ROLE, "some_role"));
        }, "Cannot set authorization for view some-catalog.unknown.unknown to ROLE some_role");
        newFileBasedSystemAccessControl.checkCanSetUser(Optional.empty(), "unknown");
        newFileBasedSystemAccessControl.checkCanSetUser(Optional.of(new KerberosPrincipal("stuff@example.com")), "unknown");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(unknown, "anything");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(UNKNOWN, "unknown", "anything");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(unknown);
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(unknown, anyone);
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(unknown, anyone);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanReadSystemInformation(unknown);
        }, "Cannot read system information");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanWriteSystemInformation(unknown);
        }, "Cannot write system information");
    }

    @Test
    public void testSchemaRulesForCheckCanCreateSchema() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
        ImmutableMap of = ImmutableMap.of();
        newFileBasedSystemAccessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"), of);
        newFileBasedSystemAccessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"), of);
        newFileBasedSystemAccessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"), of);
        newFileBasedSystemAccessControl.checkCanCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"), of);
        newFileBasedSystemAccessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "bob"), of);
        newFileBasedSystemAccessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "staff"), of);
        newFileBasedSystemAccessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"), of);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanCreateSchema(BOB, new CatalogSchemaName("some-catalog", "test"), of);
        }, CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"), of);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob"), of);
        }, CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff"), of);
        }, CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test"), of);
        }, CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testSchemaRulesForCheckCanDropSchema() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
        newFileBasedSystemAccessControl.checkCanDropSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"));
        newFileBasedSystemAccessControl.checkCanDropSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"));
        newFileBasedSystemAccessControl.checkCanDropSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"));
        newFileBasedSystemAccessControl.checkCanDropSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"));
        newFileBasedSystemAccessControl.checkCanDropSchema(BOB, new CatalogSchemaName("some-catalog", "bob"));
        newFileBasedSystemAccessControl.checkCanDropSchema(BOB, new CatalogSchemaName("some-catalog", "staff"));
        newFileBasedSystemAccessControl.checkCanDropSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDropSchema(BOB, new CatalogSchemaName("some-catalog", "test"));
        }, DROP_SCHEMA_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanDropSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDropSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob"));
        }, DROP_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDropSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff"));
        }, DROP_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDropSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test"));
        }, DROP_SCHEMA_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testSchemaRulesForCheckCanRenameSchema() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
        newFileBasedSystemAccessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"), "new_schema");
        newFileBasedSystemAccessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"), "new_schema");
        newFileBasedSystemAccessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"), "new_schema");
        newFileBasedSystemAccessControl.checkCanRenameSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"), "new_schema");
        newFileBasedSystemAccessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "bob"), "staff");
        newFileBasedSystemAccessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "staff"), "authenticated");
        newFileBasedSystemAccessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"), "bob");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "test"), "bob");
        }, RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRenameSchema(BOB, new CatalogSchemaName("some-catalog", "bob"), "test");
        }, RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob"), "new_schema");
        }, RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff"), "new_schema");
        }, RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"), "authenticated");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRenameSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test"), "new_schema");
        }, RENAME_SCHEMA_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testSchemaRulesForCheckCanShowCreateSchema() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "bob"));
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "staff"));
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "authenticated"));
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(ADMIN, new CatalogSchemaName("some-catalog", "test"));
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(BOB, new CatalogSchemaName("some-catalog", "bob"));
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(BOB, new CatalogSchemaName("some-catalog", "staff"));
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(BOB, new CatalogSchemaName("some-catalog", "authenticated"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowCreateSchema(BOB, new CatalogSchemaName("some-catalog", "test"));
        }, SHOW_CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "authenticated"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "bob"));
        }, SHOW_CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "staff"));
        }, SHOW_CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowCreateSchema(CHARLIE, new CatalogSchemaName("some-catalog", "test"));
        }, SHOW_CREATE_SCHEMA_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testGrantSchemaPrivilege() {
        for (Privilege privilege : Privilege.values()) {
            testGrantSchemaPrivilege(privilege, false);
            testGrantSchemaPrivilege(privilege, true);
        }
    }

    private void testGrantSchemaPrivilege(Privilege privilege, boolean z) {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
        TrinoPrincipal trinoPrincipal = new TrinoPrincipal(PrincipalType.USER, "alice");
        newFileBasedSystemAccessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "bob"), trinoPrincipal, z);
        newFileBasedSystemAccessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "staff"), trinoPrincipal, z);
        newFileBasedSystemAccessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "authenticated"), trinoPrincipal, z);
        newFileBasedSystemAccessControl.checkCanGrantSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "test"), trinoPrincipal, z);
        newFileBasedSystemAccessControl.checkCanGrantSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "bob"), trinoPrincipal, z);
        newFileBasedSystemAccessControl.checkCanGrantSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "staff"), trinoPrincipal, z);
        newFileBasedSystemAccessControl.checkCanGrantSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "authenticated"), trinoPrincipal, z);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanGrantSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "test"), trinoPrincipal, z);
        }, String.format(GRANT_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.test", ""));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "bob"), trinoPrincipal, z);
        }, String.format(GRANT_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.bob", ""));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "staff"), trinoPrincipal, z);
        }, String.format(GRANT_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.staff", ""));
        newFileBasedSystemAccessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "authenticated"), trinoPrincipal, z);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanGrantSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "test"), trinoPrincipal, z);
        }, String.format(GRANT_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.test", ""));
    }

    @Test
    public void testDenySchemaPrivilege() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
        TrinoPrincipal trinoPrincipal = new TrinoPrincipal(PrincipalType.USER, "alice");
        newFileBasedSystemAccessControl.checkCanDenySchemaPrivilege(ADMIN, Privilege.UPDATE, new CatalogSchemaName("some-catalog", "bob"), trinoPrincipal);
        newFileBasedSystemAccessControl.checkCanDenySchemaPrivilege(ADMIN, Privilege.UPDATE, new CatalogSchemaName("some-catalog", "staff"), trinoPrincipal);
        newFileBasedSystemAccessControl.checkCanDenySchemaPrivilege(ADMIN, Privilege.UPDATE, new CatalogSchemaName("some-catalog", "authenticated"), trinoPrincipal);
        newFileBasedSystemAccessControl.checkCanDenySchemaPrivilege(ADMIN, Privilege.UPDATE, new CatalogSchemaName("some-catalog", "test"), trinoPrincipal);
        newFileBasedSystemAccessControl.checkCanDenySchemaPrivilege(BOB, Privilege.UPDATE, new CatalogSchemaName("some-catalog", "bob"), trinoPrincipal);
        newFileBasedSystemAccessControl.checkCanDenySchemaPrivilege(BOB, Privilege.UPDATE, new CatalogSchemaName("some-catalog", "staff"), trinoPrincipal);
        newFileBasedSystemAccessControl.checkCanDenySchemaPrivilege(BOB, Privilege.UPDATE, new CatalogSchemaName("some-catalog", "authenticated"), trinoPrincipal);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDenySchemaPrivilege(BOB, Privilege.UPDATE, new CatalogSchemaName("some-catalog", "test"), trinoPrincipal);
        }, String.format(DENY_SCHEMA_ACCESS_DENIED_MESSAGE, Privilege.UPDATE, "some-catalog.test", ""));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDenySchemaPrivilege(CHARLIE, Privilege.UPDATE, new CatalogSchemaName("some-catalog", "bob"), trinoPrincipal);
        }, String.format(DENY_SCHEMA_ACCESS_DENIED_MESSAGE, Privilege.UPDATE, "some-catalog.bob", ""));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDenySchemaPrivilege(CHARLIE, Privilege.UPDATE, new CatalogSchemaName("some-catalog", "staff"), trinoPrincipal);
        }, String.format(DENY_SCHEMA_ACCESS_DENIED_MESSAGE, Privilege.UPDATE, "some-catalog.staff", ""));
        newFileBasedSystemAccessControl.checkCanDenySchemaPrivilege(CHARLIE, Privilege.UPDATE, new CatalogSchemaName("some-catalog", "authenticated"), trinoPrincipal);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDenySchemaPrivilege(CHARLIE, Privilege.UPDATE, new CatalogSchemaName("some-catalog", "test"), trinoPrincipal);
        }, String.format(DENY_SCHEMA_ACCESS_DENIED_MESSAGE, Privilege.UPDATE, "some-catalog.test", ""));
    }

    @Test
    public void testRevokeSchemaPrivilege() {
        for (Privilege privilege : Privilege.values()) {
            testRevokeSchemaPrivilege(privilege, false);
            testRevokeSchemaPrivilege(privilege, true);
        }
    }

    private void testRevokeSchemaPrivilege(Privilege privilege, boolean z) {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-schema.json");
        TrinoPrincipal trinoPrincipal = new TrinoPrincipal(PrincipalType.USER, "alice");
        newFileBasedSystemAccessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "bob"), trinoPrincipal, z);
        newFileBasedSystemAccessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "staff"), trinoPrincipal, z);
        newFileBasedSystemAccessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "authenticated"), trinoPrincipal, z);
        newFileBasedSystemAccessControl.checkCanRevokeSchemaPrivilege(ADMIN, privilege, new CatalogSchemaName("some-catalog", "test"), trinoPrincipal, z);
        newFileBasedSystemAccessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "bob"), trinoPrincipal, z);
        newFileBasedSystemAccessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "staff"), trinoPrincipal, z);
        newFileBasedSystemAccessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "authenticated"), trinoPrincipal, z);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRevokeSchemaPrivilege(BOB, privilege, new CatalogSchemaName("some-catalog", "test"), trinoPrincipal, z);
        }, String.format(REVOKE_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.test", ""));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "bob"), trinoPrincipal, z);
        }, String.format(REVOKE_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.bob", ""));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "staff"), trinoPrincipal, z);
        }, String.format(REVOKE_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.staff", ""));
        newFileBasedSystemAccessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "authenticated"), trinoPrincipal, z);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRevokeSchemaPrivilege(CHARLIE, privilege, new CatalogSchemaName("some-catalog", "test"), trinoPrincipal, z);
        }, String.format(REVOKE_SCHEMA_ACCESS_DENIED_MESSAGE, privilege, "some-catalog.test", ""));
    }

    @Test
    public void testTableRulesForCheckCanSelectFromColumns() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanSelectFromColumns(ALICE, new CatalogSchemaTableName("some-catalog", "test", "test"), ImmutableSet.of());
        newFileBasedSystemAccessControl.checkCanSelectFromColumns(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of());
        newFileBasedSystemAccessControl.checkCanSelectFromColumns(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of("bobcolumn", "private", "restricted"));
        newFileBasedSystemAccessControl.checkCanSelectFromColumns(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of());
        newFileBasedSystemAccessControl.checkCanSelectFromColumns(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of("bobcolumn"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSelectFromColumns(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of("bobcolumn", "private"));
        }, SELECT_TABLE_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanSelectFromColumns(JOE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of());
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSelectFromColumns(ADMIN, new CatalogSchemaTableName("secret", "secret", "secret"), ImmutableSet.of());
        }, SELECT_TABLE_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSelectFromColumns(JOE, new CatalogSchemaTableName("secret", "secret", "secret"), ImmutableSet.of());
        }, SELECT_TABLE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanCreateViewWithSelectFromColumns() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanCreateViewWithSelectFromColumns(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns_with_grant"), ImmutableSet.of());
        }, CREATE_VIEW_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanCreateViewWithSelectFromColumns(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns_with_grant"), ImmutableSet.of("bobcolumn", "private"));
        newFileBasedSystemAccessControl.checkCanCreateViewWithSelectFromColumns(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns_with_grant"), ImmutableSet.of("bobcolumn"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanCreateViewWithSelectFromColumns(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns_with_grant"), ImmutableSet.of("bobcolumn", "private"));
        }, SELECT_TABLE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanShowColumns() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanShowColumns(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        newFileBasedSystemAccessControl.checkCanShowColumns(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
    }

    @Test
    public void testTableRulesForCheckCanShowColumnsWithNoAccess() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-no-access.json");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowColumns(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, SHOW_COLUMNS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("some-catalog", "bobschema"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testFunctionRulesForCheckExecuteAndGrantExecuteFunctionWithNoAccess() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-no-access.json");
        Assertions.assertThat(newFileBasedSystemAccessControl.canExecuteFunction(ALICE, new CatalogSchemaRoutineName("alice-catalog", "schema", "some_function"))).isFalse();
        Assertions.assertThat(newFileBasedSystemAccessControl.canCreateViewWithExecuteFunction(ALICE, new CatalogSchemaRoutineName("alice-catalog", "schema", "some_function"))).isFalse();
    }

    @Test
    public void testTableRulesForFilterColumns() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        Assertions.assertThat(newFileBasedSystemAccessControl.filterColumns(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of("private", "a", "restricted", "b"))).isEqualTo(ImmutableSet.of("private", "a", "restricted", "b"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterColumns(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of("private", "a", "restricted", "b"))).isEqualTo(ImmutableSet.of("private", "a", "restricted", "b"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterColumns(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), ImmutableSet.of("private", "a", "restricted", "b"))).isEqualTo(ImmutableSet.of("a", "b"));
    }

    @Test
    public void testTableFilter() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table-filter.json");
        ImmutableSet build = ImmutableSet.builder().add(new SchemaTableName("restricted", "any")).add(new SchemaTableName("secret", "any")).add(new SchemaTableName("aliceschema", "any")).add(new SchemaTableName("aliceschema", "bobtable")).add(new SchemaTableName("bobschema", "bob_any")).add(new SchemaTableName("bobschema", "any")).add(new SchemaTableName("any", "any")).build();
        Assertions.assertThat(newFileBasedSystemAccessControl.filterTables(ALICE, "any", build)).isEqualTo(ImmutableSet.builder().add(new SchemaTableName("aliceschema", "any")).add(new SchemaTableName("aliceschema", "bobtable")).build());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterTables(BOB, "any", build)).isEqualTo(ImmutableSet.builder().add(new SchemaTableName("aliceschema", "bobtable")).add(new SchemaTableName("bobschema", "bob_any")).build());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterTables(ADMIN, "any", build)).isEqualTo(ImmutableSet.builder().add(new SchemaTableName("secret", "any")).add(new SchemaTableName("aliceschema", "any")).add(new SchemaTableName("aliceschema", "bobtable")).add(new SchemaTableName("bobschema", "bob_any")).add(new SchemaTableName("bobschema", "any")).add(new SchemaTableName("any", "any")).build());
    }

    @Test
    public void testTableFilterNoAccess() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-no-access.json");
        ImmutableSet build = ImmutableSet.builder().add(new SchemaTableName("restricted", "any")).add(new SchemaTableName("secret", "any")).add(new SchemaTableName("any", "any")).build();
        Assertions.assertThat(newFileBasedSystemAccessControl.filterTables(ALICE, "any", build)).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterTables(BOB, "any", build)).isEqualTo(ImmutableSet.of());
    }

    @Test
    public void testTableRulesForFilterColumnsWithNoAccess() {
        Assertions.assertThat(newFileBasedSystemAccessControl("file-based-system-no-access.json").filterColumns(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), ImmutableSet.of("a"))).isEqualTo(ImmutableSet.of());
    }

    @Test
    public void testTableRulesForCheckCanInsertIntoTable() {
        assertTableRulesForCheckCanInsertIntoTable(newFileBasedSystemAccessControl("file-based-system-access-table.json"));
    }

    private static void assertTableRulesForCheckCanInsertIntoTable(SystemAccessControl systemAccessControl) {
        systemAccessControl.checkCanInsertIntoTable(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        systemAccessControl.checkCanInsertIntoTable(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            systemAccessControl.checkCanInsertIntoTable(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, INSERT_TABLE_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            systemAccessControl.checkCanInsertIntoTable(BOB, new CatalogSchemaTableName("some-catalog", "test", "test"));
        }, INSERT_TABLE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanDropTable() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanDropTable(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDropTable(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, DROP_TABLE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanDropMaterializedView() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanDropMaterializedView(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bob-materialized-view"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDropMaterializedView(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bob-materialized-view"));
        }, DROP_MATERIALIZED_VIEW_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanCreateMaterializedView() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanCreateMaterializedView(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bob-materialized-view"), Map.of());
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanCreateMaterializedView(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bob-materialized-view"), Map.of());
        }, CREATE_MATERIALIZED_VIEW_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanRefreshMaterializedView() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanRefreshMaterializedView(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bob-materialized-view"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRefreshMaterializedView(UNKNOWN, new CatalogSchemaTableName("some-catalog", "bobschema", "bob-materialized-view"));
        }, REFRESH_MATERIALIZED_VIEW_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanSetMaterializedViewProperties() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanSetMaterializedViewProperties(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bob-materialized-view"), ImmutableMap.of());
        newFileBasedSystemAccessControl.checkCanSetMaterializedViewProperties(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "alice-materialized-view"), ImmutableMap.of());
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetMaterializedViewProperties(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bob-materialized-view"), ImmutableMap.of());
        }, SET_MATERIALIZED_VIEW_PROPERTIES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetMaterializedViewProperties(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bob-materialized-view"), ImmutableMap.of());
        }, SET_MATERIALIZED_VIEW_PROPERTIES_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanDeleteFromTable() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanDeleteFromTable(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDeleteFromTable(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, DELETE_TABLE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanTruncateTable() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanTruncateTable(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanTruncateTable(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, TRUNCATE_TABLE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanGrantTablePrivilege() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanGrantTablePrivilege(ADMIN, Privilege.DELETE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), (TrinoPrincipal) null, false);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanGrantTablePrivilege(BOB, Privilege.DELETE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), (TrinoPrincipal) null, false);
        }, GRANT_DELETE_PRIVILEGE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanDenyTablePrivilege() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanDenyTablePrivilege(ADMIN, Privilege.DELETE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), (TrinoPrincipal) null);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDenyTablePrivilege(BOB, Privilege.DELETE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), (TrinoPrincipal) null);
        }, DENY_DELETE_PRIVILEGE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanRevokeTablePrivilege() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanRevokeTablePrivilege(ADMIN, Privilege.DELETE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), (TrinoPrincipal) null, false);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRevokeTablePrivilege(BOB, Privilege.DELETE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), (TrinoPrincipal) null, false);
        }, REVOKE_DELETE_PRIVILEGE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanShowCreateTable() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanShowCreateTable(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowCreateTable(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, CREATE_TABLE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanAddColumn() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanAddColumn(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanAddColumn(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, ADD_COLUMNS_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanDropColumn() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanDropColumn(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanDropColumn(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, DROP_COLUMNS_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanRenameColumn() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanRenameColumn(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRenameColumn(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, RENAME_COLUMNS_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForMixedGroupUsers() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table-mixed-groups.json");
        SystemSecurityContext systemSecurityContext = new SystemSecurityContext(Identity.forUser("user_1_2").withGroups(ImmutableSet.of("group1", "group2")).build(), queryId, queryStart);
        SystemSecurityContext systemSecurityContext2 = new SystemSecurityContext(Identity.forUser("user_2").withGroups(ImmutableSet.of("group2")).build(), queryId, queryStart);
        Assertions.assertThat(newFileBasedSystemAccessControl.getColumnMask(systemSecurityContext, new CatalogSchemaTableName("some-catalog", "my_schema", "my_table"), "col_a", VarcharType.VARCHAR)).isEqualTo(Optional.empty());
        assertViewExpressionEquals((ViewExpression) newFileBasedSystemAccessControl.getColumnMask(systemSecurityContext2, new CatalogSchemaTableName("some-catalog", "my_schema", "my_table"), "col_a", VarcharType.VARCHAR).orElseThrow(), ViewExpression.builder().catalog("some-catalog").schema("my_schema").expression("'mask_a'").build());
        SystemSecurityContext systemSecurityContext3 = new SystemSecurityContext(Identity.forUser("user_1_3").withGroups(ImmutableSet.of("group1", "group3")).build(), queryId, queryStart);
        SystemSecurityContext systemSecurityContext4 = new SystemSecurityContext(Identity.forUser("user_3").withGroups(ImmutableSet.of("group3")).build(), queryId, queryStart);
        Assertions.assertThat(newFileBasedSystemAccessControl.getRowFilters(systemSecurityContext3, new CatalogSchemaTableName("some-catalog", "my_schema", "my_table"))).isEqualTo(ImmutableList.of());
        List rowFilters = newFileBasedSystemAccessControl.getRowFilters(systemSecurityContext4, new CatalogSchemaTableName("some-catalog", "my_schema", "my_table"));
        Assertions.assertThat(rowFilters.size()).isEqualTo(1);
        assertViewExpressionEquals((ViewExpression) rowFilters.get(0), ViewExpression.builder().catalog("some-catalog").schema("my_schema").expression("country='US'").build());
    }

    @Test
    public void testTableRulesForCheckCanSetTableComment() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanSetTableComment(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableComment(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"));
        }, TABLE_COMMENT_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanRenameTable() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanRenameTable(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), new CatalogSchemaTableName("some-catalog", "aliceschema", "newbobtable"));
        newFileBasedSystemAccessControl.checkCanRenameTable(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "alicetable"), new CatalogSchemaTableName("some-catalog", "aliceschema", "newalicetable"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRenameTable(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), new CatalogSchemaTableName("some-catalog", "bobschema", "newbobtable"));
        }, RENAME_TABLE_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanRenameTable(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "alicetable"), new CatalogSchemaTableName("some-catalog", "bobschema", "newalicetable"));
        }, RENAME_TABLE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testTableRulesForCheckCanSetTableProperties() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        newFileBasedSystemAccessControl.checkCanSetTableProperties(ADMIN, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), ImmutableMap.of());
        newFileBasedSystemAccessControl.checkCanSetTableProperties(ALICE, new CatalogSchemaTableName("some-catalog", "aliceschema", "alicetable"), ImmutableMap.of());
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableProperties(BOB, new CatalogSchemaTableName("some-catalog", "bobschema", "bobtable"), ImmutableMap.of());
        }, SET_TABLE_PROPERTIES_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testCanSetUserOperations() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-catalog_principal.json");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetUser(Optional.empty(), alice.getUser());
        }, "Principal null cannot become user alice");
        newFileBasedSystemAccessControl.checkCanSetUser(kerberosValidAlice.getPrincipal(), kerberosValidAlice.getUser());
        newFileBasedSystemAccessControl.checkCanSetUser(kerberosValidNonAsciiUser.getPrincipal(), kerberosValidNonAsciiUser.getUser());
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetUser(kerberosInvalidAlice.getPrincipal(), kerberosInvalidAlice.getUser());
        }, "Principal mallory/example.com@EXAMPLE.COM cannot become user alice");
        newFileBasedSystemAccessControl.checkCanSetUser(kerberosValidShare.getPrincipal(), kerberosValidShare.getUser());
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetUser(kerberosInValidShare.getPrincipal(), kerberosInValidShare.getUser());
        }, "Principal invalid/example.com@EXAMPLE.COM cannot become user alice");
        newFileBasedSystemAccessControl.checkCanSetUser(validSpecialRegexWildDot.getPrincipal(), validSpecialRegexWildDot.getUser());
        newFileBasedSystemAccessControl.checkCanSetUser(validSpecialRegexEndQuote.getPrincipal(), validSpecialRegexEndQuote.getUser());
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetUser(invalidSpecialRegex.getPrincipal(), invalidSpecialRegex.getUser());
        }, "Principal special/.*@EXAMPLE.COM cannot become user alice");
        newFileBasedSystemAccessControl("file-based-system-catalog.json").checkCanSetUser(kerberosValidAlice.getPrincipal(), kerberosValidAlice.getUser());
    }

    @Test
    public void testQuery() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("query.json");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(admin);
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(admin, any);
        Assertions.assertThat(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(admin, ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b")))).isEqualTo(ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b")));
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(admin, any);
        newFileBasedSystemAccessControl.checkCanExecuteQuery(alice);
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(alice, any);
        Assertions.assertThat(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(alice, ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b")))).isEqualTo(ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b")));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(alice, any);
        }, "Cannot view query");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanExecuteQuery(bob);
        }, "Cannot view query");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(bob, any);
        }, "Cannot view query");
        Assertions.assertThat(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(bob, ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b")))).isEqualTo(ImmutableSet.of());
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(bob, any);
        newFileBasedSystemAccessControl.checkCanExecuteQuery(dave);
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(dave, alice);
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(dave, dave);
        Assertions.assertThat(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(dave, ImmutableSet.of(Identity.ofUser("alice"), Identity.ofUser("bob"), Identity.ofUser("dave"), Identity.ofUser("admin")))).isEqualTo(ImmutableSet.of(Identity.ofUser("alice"), Identity.ofUser("dave")));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(dave, alice);
        }, "Cannot view query");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(dave, bob);
        }, "Cannot view query");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(dave, bob);
        }, "Cannot view query");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(dave, admin);
        }, "Cannot view query");
        Identity build = Identity.forUser("some-other-contractor").withGroups(ImmutableSet.of("contractors")).build();
        newFileBasedSystemAccessControl.checkCanExecuteQuery(build);
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(build, dave);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(build, dave);
        }, "Cannot view query");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(nonAsciiUser);
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(nonAsciiUser, any);
        Assertions.assertThat(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(nonAsciiUser, ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b")))).isEqualTo(ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b")));
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(nonAsciiUser, any);
    }

    @Test
    public void testInvalidQuery() {
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl("query-invalid.json");
        }).rootCause().hasMessage("A valid query rule cannot combine an queryOwner condition with access mode 'execute'");
    }

    @Test
    public void testQueryNotSet() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-catalog.json");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(bob);
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(bob, any);
        Assertions.assertThat(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(bob, ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b")))).isEqualTo(ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b")));
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(bob, any);
    }

    @Test
    public void testQueryDocsExample() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl(new File("../../docs/src/main/sphinx/security/query-access.json"), ImmutableMap.of());
        newFileBasedSystemAccessControl.checkCanExecuteQuery(admin);
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(admin, any);
        Assertions.assertThat(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(admin, ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b")))).isEqualTo(ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b")));
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(admin, any);
        newFileBasedSystemAccessControl.checkCanExecuteQuery(alice);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(alice, any);
        }, "Cannot view query");
        Assertions.assertThat(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(alice, ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b")))).isEqualTo(ImmutableSet.of());
        newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(alice, any);
        newFileBasedSystemAccessControl.checkCanExecuteQuery(alice);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(bob, any);
        }, "Cannot view query");
        Assertions.assertThat(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(bob, ImmutableSet.of(Identity.ofUser("a"), Identity.ofUser("b")))).isEqualTo(ImmutableSet.of());
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(bob, any);
        }, "Cannot view query");
        newFileBasedSystemAccessControl.checkCanExecuteQuery(dave);
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(dave, alice);
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(dave, dave);
        Assertions.assertThat(newFileBasedSystemAccessControl.filterViewQueryOwnedBy(dave, ImmutableSet.of(Identity.ofUser("alice"), Identity.ofUser("bob"), Identity.ofUser("dave"), Identity.ofUser("admin")))).isEqualTo(ImmutableSet.of(Identity.ofUser("alice"), Identity.ofUser("dave")));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(dave, alice);
        }, "Cannot view query");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(dave, bob);
        }, "Cannot view query");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(dave, bob);
        }, "Cannot view query");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(dave, admin);
        }, "Cannot view query");
        Identity build = Identity.forUser("some-other-contractor").withGroups(ImmutableSet.of("contractors")).build();
        newFileBasedSystemAccessControl.checkCanExecuteQuery(build);
        newFileBasedSystemAccessControl.checkCanViewQueryOwnedBy(build, dave);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanKillQueryOwnedBy(build, dave);
        }, "Cannot view query");
    }

    @Test
    public void testSystemInformation() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("system-information.json");
        newFileBasedSystemAccessControl.checkCanReadSystemInformation(admin);
        newFileBasedSystemAccessControl.checkCanWriteSystemInformation(admin);
        newFileBasedSystemAccessControl.checkCanReadSystemInformation(alice);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanWriteSystemInformation(alice);
        }, "Cannot write system information");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanReadSystemInformation(bob);
        }, "Cannot read system information");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanWriteSystemInformation(bob);
        }, "Cannot write system information");
        newFileBasedSystemAccessControl.checkCanReadSystemInformation(nonAsciiUser);
        newFileBasedSystemAccessControl.checkCanWriteSystemInformation(nonAsciiUser);
    }

    @Test
    public void testSystemInformationNotSet() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-catalog.json");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanReadSystemInformation(bob);
        }, "Cannot read system information");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanWriteSystemInformation(bob);
        }, "Cannot write system information");
    }

    @Test
    public void testSystemInformationDocsExample() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl(new File("../../docs/src/main/sphinx/security/system-information-access.json"), ImmutableMap.of());
        newFileBasedSystemAccessControl.checkCanReadSystemInformation(admin);
        newFileBasedSystemAccessControl.checkCanWriteSystemInformation(admin);
        newFileBasedSystemAccessControl.checkCanReadSystemInformation(alice);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanWriteSystemInformation(alice);
        }, "Cannot write system information");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanReadSystemInformation(bob);
        }, "Cannot read system information");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanWriteSystemInformation(bob);
        }, "Cannot write system information");
    }

    @Test
    public void testSessionPropertyRules() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-session-property.json");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(admin, "dangerous");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(admin, "any");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(alice, "safe");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(alice, "unsafe");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(alice, "staff");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(bob, "safe");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(bob, "staff");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(bob, "unsafe");
        }, SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(alice, "dangerous");
        }, SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(charlie, "safe");
        }, SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(charlie, "staff");
        }, SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(joe, "staff");
        }, SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ADMIN, "any", "dangerous");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ADMIN, "alice-catalog", "dangerous");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ADMIN, "any", "any");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ALICE, "alice-catalog", "safe");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ALICE, "alice-catalog", "unsafe");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ALICE, "staff-catalog", "staff");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(BOB, "bob-catalog", "safe");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(BOB, "staff-catalog", "staff");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(BOB, "bob-catalog", "any");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(BOB, "alice-catalog", "any");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(BOB, "staff-catalog", "any");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ALICE, "alice-catalog", "dangerous");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(CHARLIE, "bob-catalog", "safe");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(CHARLIE, "staff-catalog", "staff");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(JOE, "staff-catalog", "staff");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testSessionPropertyDocsExample() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl(new File("../../docs/src/main/sphinx/security/session-property-access.json"), ImmutableMap.of());
        Identity ofUser = Identity.ofUser("banned_user");
        SystemSecurityContext systemSecurityContext = new SystemSecurityContext(Identity.ofUser("banned_user"), queryId, queryStart);
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(admin, "any");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(alice, "any");
        }, SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(ofUser, "any");
        }, SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(admin, "resource_overcommit");
        newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(alice, "resource_overcommit");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSystemSessionProperty(ofUser, "resource_overcommit");
        }, SET_SYSTEM_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ADMIN, "hive", "any");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ALICE, "hive", "any");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(systemSecurityContext, "hive", "any");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ADMIN, "hive", "bucket_execution_enabled");
        newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(ALICE, "hive", "bucket_execution_enabled");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetCatalogSessionProperty(systemSecurityContext, "hive", "bucket_execution_enabled");
        }, SET_CATALOG_SESSION_PROPERTY_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testFilterCatalogs() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-visibility.json");
        ImmutableSet of = ImmutableSet.of("alice-catalog", "bob-catalog", "specific-catalog", "secret", "hidden", "open-to-all", new String[]{"blocked-catalog", "unknown", "ptf-catalog"});
        Assertions.assertThat(newFileBasedSystemAccessControl.filterCatalogs(ADMIN, of)).isEqualTo(Sets.difference(of, ImmutableSet.of("blocked-catalog")));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterCatalogs(ALICE, of)).isEqualTo(ImmutableSet.of("specific-catalog", "alice-catalog", "ptf-catalog"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterCatalogs(BOB, of)).isEqualTo(ImmutableSet.of("specific-catalog", "alice-catalog", "bob-catalog"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterCatalogs(CHARLIE, of)).isEqualTo(ImmutableSet.of("specific-catalog"));
    }

    @Test
    public void testSchemaRulesForCheckCanShowSchemas() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-visibility.json");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ADMIN, "specific-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ADMIN, "session-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ADMIN, "secret");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ADMIN, "hidden");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ADMIN, "open-to-all");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(ADMIN, "blocked-catalog");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowSchemas(ADMIN, "unknown");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "specific-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "session-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "alice-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "alice-catalog-session");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "bob-catalog");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "bob-catalog-session");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "secret");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "hidden");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "open-to-all");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "blocked-catalog");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(ALICE, "unknown");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "specific-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "session-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "bob-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "bob-catalog-session");
        newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "alice-catalog");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "alice-catalog-session");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "secret");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "hidden");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "open-to-all");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "blocked-catalog");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(BOB, "unknown");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "session-catalog");
        newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "specific-catalog");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "alice-catalog-session");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "alice-catalog");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "bob-catalog-session");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "bob-catalog");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "secret");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "hidden");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "open-to-all");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "blocked-catalog");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowSchemas(CHARLIE, "unknown");
        }, SHOWN_SCHEMAS_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testFilterSchemas() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-visibility.json");
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "specific-catalog", ImmutableSet.of("specific-schema", "unknown"))).isEqualTo(ImmutableSet.of("specific-schema", "unknown"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ALICE, "specific-catalog", ImmutableSet.of("specific-schema", "unknown"))).isEqualTo(ImmutableSet.of("specific-schema"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(BOB, "specific-catalog", ImmutableSet.of("specific-schema"))).isEqualTo(ImmutableSet.of("specific-schema"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "specific-catalog", ImmutableSet.of("specific-schema", "unknown"))).isEqualTo(ImmutableSet.of("specific-schema"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "alice-catalog", ImmutableSet.of("alice-schema", "bob-schema", "unknown"))).isEqualTo(ImmutableSet.of("alice-schema", "bob-schema", "unknown"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ALICE, "alice-catalog", ImmutableSet.of("alice-schema", "bob-schema", "unknown"))).isEqualTo(ImmutableSet.of("alice-schema"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(BOB, "alice-catalog", ImmutableSet.of("alice-schema", "bob-schema", "unknown"))).isEqualTo(ImmutableSet.of("bob-schema"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "alice-catalog", ImmutableSet.of("alice-schema", "bob-schema", "unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "bob-catalog", ImmutableSet.of("bob-schema", "unknown"))).isEqualTo(ImmutableSet.of("bob-schema", "unknown"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ALICE, "bob-catalog", ImmutableSet.of("bob-schema", "unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(BOB, "bob-catalog", ImmutableSet.of("bob-schema", "unknown"))).isEqualTo(ImmutableSet.of("bob-schema"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "bob-catalog", ImmutableSet.of("bob-schema", "unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "secret", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of("unknown"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ALICE, "secret", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(BOB, "secret", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "secret", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "hidden", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of("unknown"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ALICE, "hidden", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(BOB, "hidden", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "hidden", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "open-to-all", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of("unknown"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ALICE, "open-to-all", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(BOB, "open-to-all", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "open-to-all", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "blocked-catalog", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ALICE, "blocked-catalog", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(BOB, "blocked-catalog", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "blocked-catalog", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "unknown", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of("unknown"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ALICE, "unknown", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(BOB, "unknown", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "unknown", ImmutableSet.of("unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "session-catalog", ImmutableSet.of("session-schema", "unknown"))).isEqualTo(ImmutableSet.of("session-schema", "unknown"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ALICE, "session-catalog", ImmutableSet.of("session-schema", "unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(BOB, "session-catalog", ImmutableSet.of("session-schema", "unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "session-catalog", ImmutableSet.of("session-schema", "unknown"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ADMIN, "ptf-catalog", ImmutableSet.of("ptf_schema"))).isEqualTo(ImmutableSet.of("ptf_schema"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(ALICE, "ptf-catalog", ImmutableSet.of("ptf_schema"))).isEqualTo(ImmutableSet.of("ptf_schema"));
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(BOB, "ptf-catalog", ImmutableSet.of("ptf_schema"))).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterSchemas(CHARLIE, "ptf-catalog", ImmutableSet.of("ptf_schema"))).isEqualTo(ImmutableSet.of());
    }

    @Test
    public void testSchemaRulesForCheckCanShowTables() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-visibility.json");
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("specific-catalog", "specific-schema"));
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("bob-catalog", "bob-schema"));
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("bob-catalog", "any"));
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("alice-catalog", "alice-schema"));
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("alice-catalog", "any"));
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("secret", "secret"));
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("hidden", "any"));
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("open-to-all", "any"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("blocked-catalog", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowTables(ADMIN, new CatalogSchemaName("unknown", "any"));
        newFileBasedSystemAccessControl.checkCanShowTables(ALICE, new CatalogSchemaName("specific-catalog", "specific-schema"));
        newFileBasedSystemAccessControl.checkCanShowTables(ALICE, new CatalogSchemaName("alice-catalog", "alice-schema"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(ALICE, new CatalogSchemaName("bob-catalog", "bob-schema"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(ALICE, new CatalogSchemaName("secret", "secret"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(ALICE, new CatalogSchemaName("hidden", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(ALICE, new CatalogSchemaName("open-to-all", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(ALICE, new CatalogSchemaName("blocked-catalog", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(ALICE, new CatalogSchemaName("unknown", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("specific-catalog", "specific-schema"));
        newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("bob-catalog", "bob-schema"));
        newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("alice-catalog", "bob-schema"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("bob-catalog", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("alice-catalog", "alice-schema"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("alice-catalog", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("secret", "secret"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("hidden", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("open-to-all", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("blocked-catalog", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(BOB, new CatalogSchemaName("unknown", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("specific-catalog", "specific-schema"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("bob-catalog", "bob-schema"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("bob-catalog", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("alice-catalog", "alice-schema"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("alice-catalog", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("secret", "secret"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("hidden", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("open-to-all", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("blocked-catalog", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowTables(CHARLIE, new CatalogSchemaName("unknown", "any"));
        }, SHOWN_TABLES_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testSchemaRulesForCheckCanShowFunctions() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-visibility.json");
        newFileBasedSystemAccessControl.checkCanShowFunctions(ADMIN, new CatalogSchemaName("specific-catalog", "specific-schema"));
        newFileBasedSystemAccessControl.checkCanShowFunctions(ADMIN, new CatalogSchemaName("bob-catalog", "bob-schema"));
        newFileBasedSystemAccessControl.checkCanShowFunctions(ADMIN, new CatalogSchemaName("bob-catalog", "any"));
        newFileBasedSystemAccessControl.checkCanShowFunctions(ADMIN, new CatalogSchemaName("alice-catalog", "alice-schema"));
        newFileBasedSystemAccessControl.checkCanShowFunctions(ADMIN, new CatalogSchemaName("alice-catalog", "any"));
        newFileBasedSystemAccessControl.checkCanShowFunctions(ADMIN, new CatalogSchemaName("secret", "secret"));
        newFileBasedSystemAccessControl.checkCanShowFunctions(ADMIN, new CatalogSchemaName("hidden", "any"));
        newFileBasedSystemAccessControl.checkCanShowFunctions(ADMIN, new CatalogSchemaName("open-to-all", "any"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(ADMIN, new CatalogSchemaName("blocked-catalog", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowFunctions(ADMIN, new CatalogSchemaName("unknown", "any"));
        newFileBasedSystemAccessControl.checkCanShowFunctions(ALICE, new CatalogSchemaName("specific-catalog", "specific-schema"));
        newFileBasedSystemAccessControl.checkCanShowFunctions(ALICE, new CatalogSchemaName("alice-catalog", "alice-schema"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(ALICE, new CatalogSchemaName("bob-catalog", "bob-schema"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(ALICE, new CatalogSchemaName("secret", "secret"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(ALICE, new CatalogSchemaName("hidden", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(ALICE, new CatalogSchemaName("open-to-all", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(ALICE, new CatalogSchemaName("blocked-catalog", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(ALICE, new CatalogSchemaName("unknown", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowFunctions(BOB, new CatalogSchemaName("specific-catalog", "specific-schema"));
        newFileBasedSystemAccessControl.checkCanShowFunctions(BOB, new CatalogSchemaName("bob-catalog", "bob-schema"));
        newFileBasedSystemAccessControl.checkCanShowFunctions(BOB, new CatalogSchemaName("alice-catalog", "bob-schema"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(BOB, new CatalogSchemaName("bob-catalog", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(BOB, new CatalogSchemaName("alice-catalog", "alice-schema"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(BOB, new CatalogSchemaName("alice-catalog", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(BOB, new CatalogSchemaName("secret", "secret"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(BOB, new CatalogSchemaName("hidden", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(BOB, new CatalogSchemaName("open-to-all", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(BOB, new CatalogSchemaName("blocked-catalog", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(BOB, new CatalogSchemaName("unknown", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        newFileBasedSystemAccessControl.checkCanShowFunctions(CHARLIE, new CatalogSchemaName("specific-catalog", "specific-schema"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(CHARLIE, new CatalogSchemaName("bob-catalog", "bob-schema"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(CHARLIE, new CatalogSchemaName("bob-catalog", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(CHARLIE, new CatalogSchemaName("alice-catalog", "alice-schema"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(CHARLIE, new CatalogSchemaName("alice-catalog", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(CHARLIE, new CatalogSchemaName("secret", "secret"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(CHARLIE, new CatalogSchemaName("hidden", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(CHARLIE, new CatalogSchemaName("open-to-all", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(CHARLIE, new CatalogSchemaName("blocked-catalog", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanShowFunctions(CHARLIE, new CatalogSchemaName("unknown", "any"));
        }, SHOWN_FUNCTIONS_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testGetColumnMask() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        Assertions.assertThat(newFileBasedSystemAccessControl.getColumnMask(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), "masked", VarcharType.VARCHAR)).isEqualTo(Optional.empty());
        assertViewExpressionEquals((ViewExpression) newFileBasedSystemAccessControl.getColumnMask(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), "masked", VarcharType.VARCHAR).orElseThrow(), ViewExpression.builder().catalog("some-catalog").schema("bobschema").expression("'mask'").build());
        assertViewExpressionEquals((ViewExpression) newFileBasedSystemAccessControl.getColumnMask(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"), "masked_with_user", VarcharType.VARCHAR).orElseThrow(), ViewExpression.builder().identity("mask-user").catalog("some-catalog").schema("bobschema").expression("'mask-with-user'").build());
    }

    @Test
    public void testGetRowFilter() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-table.json");
        Assertions.assertThat(newFileBasedSystemAccessControl.getRowFilters(ALICE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"))).isEqualTo(ImmutableList.of());
        List rowFilters = newFileBasedSystemAccessControl.getRowFilters(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns"));
        Assertions.assertThat(rowFilters.size()).isEqualTo(1);
        assertViewExpressionEquals((ViewExpression) rowFilters.get(0), ViewExpression.builder().catalog("some-catalog").schema("bobschema").expression("starts_with(value, 'filter')").build());
        List rowFilters2 = newFileBasedSystemAccessControl.getRowFilters(CHARLIE, new CatalogSchemaTableName("some-catalog", "bobschema", "bobcolumns_with_grant"));
        Assertions.assertThat(rowFilters2.size()).isEqualTo(1);
        assertViewExpressionEquals((ViewExpression) rowFilters2.get(0), ViewExpression.builder().identity("filter-user").catalog("some-catalog").schema("bobschema").expression("starts_with(value, 'filter-with-user')").build());
    }

    private static void assertViewExpressionEquals(ViewExpression viewExpression, ViewExpression viewExpression2) {
        ((OptionalAssert) Assertions.assertThat(viewExpression.getSecurityIdentity()).describedAs("Identity", new Object[0])).isEqualTo(viewExpression2.getSecurityIdentity());
        ((OptionalAssert) Assertions.assertThat(viewExpression.getCatalog()).describedAs("Catalog", new Object[0])).isEqualTo(viewExpression2.getCatalog());
        ((OptionalAssert) Assertions.assertThat(viewExpression.getSchema()).describedAs("Schema", new Object[0])).isEqualTo(viewExpression2.getSchema());
        ((AbstractStringAssert) Assertions.assertThat(viewExpression.getExpression()).describedAs("Expression", new Object[0])).isEqualTo(viewExpression2.getExpression());
        Assertions.assertThat(viewExpression.getPath()).describedAs("Path", new Object[0]).isEqualTo(viewExpression2.getPath());
    }

    @Test
    public void testProcedureRulesForCheckCanExecute() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-visibility.json");
        newFileBasedSystemAccessControl.checkCanExecuteProcedure(BOB, new CatalogSchemaRoutineName("alice-catalog", new SchemaRoutineName("procedure-schema", "some_procedure")));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanExecuteProcedure(BOB, new CatalogSchemaRoutineName("alice-catalog", new SchemaRoutineName("some-schema", "some_procedure")));
        }, EXECUTE_PROCEDURE_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanExecuteProcedure(BOB, new CatalogSchemaRoutineName("alice-catalog", new SchemaRoutineName("procedure-schema", "another_procedure")));
        }, EXECUTE_PROCEDURE_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanExecuteProcedure(CHARLIE, new CatalogSchemaRoutineName("open-to-all", new SchemaRoutineName("some-schema", "some_procedure")));
        }, EXECUTE_PROCEDURE_ACCESS_DENIED_MESSAGE);
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanExecuteProcedure(ALICE, new CatalogSchemaRoutineName("alice-catalog", new SchemaRoutineName("procedure-schema", "some_procedure")));
        }, EXECUTE_PROCEDURE_ACCESS_DENIED_MESSAGE);
    }

    @Test
    public void testFunctionRulesForCheckCanExecute() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-visibility.json");
        Assertions.assertThat(newFileBasedSystemAccessControl.canExecuteFunction(BOB, new CatalogSchemaRoutineName("specific-catalog", "system", "some_function"))).isTrue();
        Assertions.assertThat(newFileBasedSystemAccessControl.canExecuteFunction(ADMIN, new CatalogSchemaRoutineName("ptf-catalog", "ptf_schema", "some_table_function"))).isFalse();
        Assertions.assertThat(newFileBasedSystemAccessControl.canExecuteFunction(ADMIN, new CatalogSchemaRoutineName("specific-catalog", "system", "some_function"))).isFalse();
        Assertions.assertThat(newFileBasedSystemAccessControl.canExecuteFunction(ALICE, new CatalogSchemaRoutineName("ptf-catalog", "ptf_schema", "some_table_function"))).isTrue();
        Assertions.assertThat(newFileBasedSystemAccessControl.canExecuteFunction(ALICE, new CatalogSchemaRoutineName("specific-catalog", "system", "some_function"))).isFalse();
        Assertions.assertThat(newFileBasedSystemAccessControl.canExecuteFunction(BOB, new CatalogSchemaRoutineName("ptf-catalog", "ptf_schema", "some_table_function"))).isFalse();
        Assertions.assertThat(newFileBasedSystemAccessControl.canExecuteFunction(BOB, new CatalogSchemaRoutineName("specific-catalog", "system", "some_function"))).isTrue();
        Assertions.assertThat(newFileBasedSystemAccessControl.canExecuteFunction(CHARLIE, new CatalogSchemaRoutineName("ptf-catalog", "ptf_schema", "some_table_function"))).isFalse();
        Assertions.assertThat(newFileBasedSystemAccessControl.canExecuteFunction(CHARLIE, new CatalogSchemaRoutineName("specific-catalog", "system", "some_function"))).isFalse();
    }

    @Test
    public void testFunctionRulesForCheckCanCreateView() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-visibility.json");
        Assertions.assertThat(newFileBasedSystemAccessControl.canCreateViewWithExecuteFunction(ALICE, new CatalogSchemaRoutineName("ptf-catalog", "ptf_schema", "some_table_function"))).isTrue();
        Assertions.assertThat(newFileBasedSystemAccessControl.canCreateViewWithExecuteFunction(ALICE, new CatalogSchemaRoutineName("ptf-catalog", "ptf_schema", "some_function"))).isFalse();
        Assertions.assertThat(newFileBasedSystemAccessControl.canCreateViewWithExecuteFunction(ALICE, new CatalogSchemaRoutineName("specific-catalog", "builtin", "some_table_function"))).isFalse();
        Assertions.assertThat(newFileBasedSystemAccessControl.canCreateViewWithExecuteFunction(ALICE, new CatalogSchemaRoutineName("specific-catalog", "builtin", "some_function"))).isFalse();
        Assertions.assertThat(newFileBasedSystemAccessControl.canCreateViewWithExecuteFunction(BOB, new CatalogSchemaRoutineName("ptf-catalog", "ptf_schema", "some_table_function"))).isFalse();
        Assertions.assertThat(newFileBasedSystemAccessControl.canCreateViewWithExecuteFunction(BOB, new CatalogSchemaRoutineName("ptf-catalog", "ptf_schema", "some_function"))).isFalse();
        Assertions.assertThat(newFileBasedSystemAccessControl.canCreateViewWithExecuteFunction(BOB, new CatalogSchemaRoutineName("specific-catalog", "builtin", "some_table_function"))).isFalse();
        Assertions.assertThat(newFileBasedSystemAccessControl.canCreateViewWithExecuteFunction(BOB, new CatalogSchemaRoutineName("specific-catalog", "builtin", "some_function"))).isTrue();
    }

    @Test
    public void testSchemaAuthorization() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("authorization.json");
        CatalogSchemaName catalogSchemaName = new CatalogSchemaName("some-catalog", "test");
        CatalogSchemaName catalogSchemaName2 = new CatalogSchemaName("some-catalog", "owned_by_user");
        CatalogSchemaName catalogSchemaName3 = new CatalogSchemaName("some-catalog", "owned_by_group");
        CatalogSchemaName catalogSchemaName4 = new CatalogSchemaName("some-catalog", "owned_by_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("user", "group", "role"), catalogSchemaName, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for schema some-catalog.test to ROLE new_role");
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("owner_authorized", "group", "role"), catalogSchemaName2, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("owner", "authorized", "role"), catalogSchemaName2, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("owner", "group", "authorized"), catalogSchemaName2, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("owner_without_authorization_access", "group", "role"), catalogSchemaName2, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for schema some-catalog.owned_by_user to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("owner_DENY_authorized", "group", "role"), catalogSchemaName2, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for schema some-catalog.owned_by_user to USER new_user");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("owner", "DENY_authorized", "role"), catalogSchemaName2, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for schema some-catalog.owned_by_user to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("owner", "group", "DENY_authorized"), catalogSchemaName2, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for schema some-catalog.owned_by_user to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("owner", "group", "authorized"), catalogSchemaName2, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for schema some-catalog.owned_by_user to USER new_user");
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("authorized", "owner", "role"), catalogSchemaName3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("user", "owner", "authorized"), catalogSchemaName3, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("user", "owner", "role"), catalogSchemaName3, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for schema some-catalog.owned_by_group to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("DENY_authorized", "owner", "role"), catalogSchemaName3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for schema some-catalog.owned_by_group to USER new_user");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("user", "owner", "DENY_authorized"), catalogSchemaName3, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for schema some-catalog.owned_by_group to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("user", "owner", "authorized"), catalogSchemaName3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for schema some-catalog.owned_by_group to USER new_user");
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("authorized", "group", "owner"), catalogSchemaName4, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("user", "group", "owner_authorized"), catalogSchemaName4, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("user", "group", "owner"), catalogSchemaName4, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for schema some-catalog.owned_by_role to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("DENY_authorized", "group", "owner"), catalogSchemaName4, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for schema some-catalog.owned_by_role to USER new_user");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("user", "group", "owner_DENY_authorized"), catalogSchemaName4, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for schema some-catalog.owned_by_role to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(user("user", "group", "owner_authorized"), catalogSchemaName4, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for schema some-catalog.owned_by_role to USER new_user");
    }

    @Test
    public void testTableAuthorization() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("authorization.json");
        CatalogSchemaTableName catalogSchemaTableName = new CatalogSchemaTableName("some-catalog", "test", "table");
        CatalogSchemaTableName catalogSchemaTableName2 = new CatalogSchemaTableName("some-catalog", "test", "owned_by_user");
        CatalogSchemaTableName catalogSchemaTableName3 = new CatalogSchemaTableName("some-catalog", "test", "owned_by_group");
        CatalogSchemaTableName catalogSchemaTableName4 = new CatalogSchemaTableName("some-catalog", "test", "owned_by_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("user", "group", "role"), catalogSchemaTableName, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for table some-catalog.test.table to ROLE new_role");
        newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("owner_authorized", "group", "role"), catalogSchemaTableName2, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("owner", "group", "authorized"), catalogSchemaTableName2, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("owner_without_authorization_access", "group", "role"), catalogSchemaTableName2, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for table some-catalog.test.owned_by_user to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("owner_DENY_authorized", "group", "role"), catalogSchemaTableName2, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for table some-catalog.test.owned_by_user to USER new_user");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("owner", "group", "DENY_authorized"), catalogSchemaTableName2, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for table some-catalog.test.owned_by_user to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("owner", "group", "authorized"), catalogSchemaTableName2, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for table some-catalog.test.owned_by_user to USER new_user");
        newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("authorized", "owner", "role"), catalogSchemaTableName3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("user", "owner", "authorized"), catalogSchemaTableName3, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("user", "owner", "role"), catalogSchemaTableName3, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for table some-catalog.test.owned_by_group to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("DENY_authorized", "owner", "role"), catalogSchemaTableName3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for table some-catalog.test.owned_by_group to USER new_user");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("user", "owner", "DENY_authorized"), catalogSchemaTableName3, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for table some-catalog.test.owned_by_group to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("user", "owner", "authorized"), catalogSchemaTableName3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for table some-catalog.test.owned_by_group to USER new_user");
        newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("authorized", "group", "owner"), catalogSchemaTableName4, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("user", "group", "owner_authorized"), catalogSchemaTableName4, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("user", "group", "owner"), catalogSchemaTableName4, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for table some-catalog.test.owned_by_role to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("DENY_authorized", "group", "owner"), catalogSchemaTableName4, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for table some-catalog.test.owned_by_role to USER new_user");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("user", "group", "owner_DENY_authorized"), catalogSchemaTableName4, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for table some-catalog.test.owned_by_role to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableAuthorization(user("user", "group", "owner_authorized"), catalogSchemaTableName4, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for table some-catalog.test.owned_by_role to USER new_user");
    }

    @Test
    public void testViewAuthorization() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("authorization.json");
        CatalogSchemaTableName catalogSchemaTableName = new CatalogSchemaTableName("some-catalog", "test", "table");
        CatalogSchemaTableName catalogSchemaTableName2 = new CatalogSchemaTableName("some-catalog", "test", "owned_by_user");
        CatalogSchemaTableName catalogSchemaTableName3 = new CatalogSchemaTableName("some-catalog", "test", "owned_by_group");
        CatalogSchemaTableName catalogSchemaTableName4 = new CatalogSchemaTableName("some-catalog", "test", "owned_by_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("user", "group", "role"), catalogSchemaTableName, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for view some-catalog.test.table to ROLE new_role");
        newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("owner_authorized", "group", "role"), catalogSchemaTableName2, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("owner", "group", "authorized"), catalogSchemaTableName2, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("owner_without_authorization_access", "group", "role"), catalogSchemaTableName2, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for view some-catalog.test.owned_by_user to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("owner_DENY_authorized", "group", "role"), catalogSchemaTableName2, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for view some-catalog.test.owned_by_user to USER new_user");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("owner", "group", "DENY_authorized"), catalogSchemaTableName2, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for view some-catalog.test.owned_by_user to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("owner", "group", "authorized"), catalogSchemaTableName2, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for view some-catalog.test.owned_by_user to USER new_user");
        newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("authorized", "owner", "role"), catalogSchemaTableName3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("user", "owner", "authorized"), catalogSchemaTableName3, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("user", "owner", "role"), catalogSchemaTableName3, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for view some-catalog.test.owned_by_group to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("DENY_authorized", "owner", "role"), catalogSchemaTableName3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for view some-catalog.test.owned_by_group to USER new_user");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("user", "owner", "DENY_authorized"), catalogSchemaTableName3, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for view some-catalog.test.owned_by_group to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("user", "owner", "authorized"), catalogSchemaTableName3, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for view some-catalog.test.owned_by_group to USER new_user");
        newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("authorized", "group", "owner"), catalogSchemaTableName4, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("user", "group", "owner_authorized"), catalogSchemaTableName4, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("user", "group", "owner"), catalogSchemaTableName4, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for view some-catalog.test.owned_by_role to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("DENY_authorized", "group", "owner"), catalogSchemaTableName4, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for view some-catalog.test.owned_by_role to USER new_user");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("user", "group", "owner_DENY_authorized"), catalogSchemaTableName4, new TrinoPrincipal(PrincipalType.ROLE, "new_role"));
        }, "Cannot set authorization for view some-catalog.test.owned_by_role to ROLE new_role");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetViewAuthorization(user("user", "group", "owner_authorized"), catalogSchemaTableName4, new TrinoPrincipal(PrincipalType.USER, "new_user"));
        }, "Cannot set authorization for view some-catalog.test.owned_by_role to USER new_user");
    }

    @Test
    public void testFunctionsFilter() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-access-function-filter.json");
        ImmutableSet build = ImmutableSet.builder().add(new SchemaFunctionName("restricted", "any")).add(new SchemaFunctionName("secret", "any")).add(new SchemaFunctionName("aliceschema", "any")).add(new SchemaFunctionName("aliceschema", "bobfunction")).add(new SchemaFunctionName("bobschema", "bob_any")).add(new SchemaFunctionName("bobschema", "any")).add(new SchemaFunctionName("any", "any")).build();
        Assertions.assertThat(newFileBasedSystemAccessControl.filterFunctions(ALICE, "any", build)).isEqualTo(ImmutableSet.builder().add(new SchemaFunctionName("aliceschema", "any")).add(new SchemaFunctionName("aliceschema", "bobfunction")).build());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterFunctions(BOB, "any", build)).isEqualTo(ImmutableSet.builder().add(new SchemaFunctionName("aliceschema", "bobfunction")).add(new SchemaFunctionName("bobschema", "bob_any")).build());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterFunctions(ADMIN, "any", build)).isEqualTo(ImmutableSet.builder().add(new SchemaFunctionName("secret", "any")).add(new SchemaFunctionName("aliceschema", "any")).add(new SchemaFunctionName("aliceschema", "bobfunction")).add(new SchemaFunctionName("bobschema", "bob_any")).add(new SchemaFunctionName("bobschema", "any")).add(new SchemaFunctionName("any", "any")).build());
    }

    @Test
    public void testFunctionsFilterNoAccess() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl("file-based-system-no-access.json");
        ImmutableSet build = ImmutableSet.builder().add(new SchemaFunctionName("restricted", "any")).add(new SchemaFunctionName("secret", "any")).add(new SchemaFunctionName("any", "any")).build();
        Assertions.assertThat(newFileBasedSystemAccessControl.filterFunctions(ALICE, "any", build)).isEqualTo(ImmutableSet.of());
        Assertions.assertThat(newFileBasedSystemAccessControl.filterFunctions(BOB, "any", build)).isEqualTo(ImmutableSet.of());
    }

    @Test
    public void testAuthorizationDocsExample() {
        SystemAccessControl newFileBasedSystemAccessControl = newFileBasedSystemAccessControl(new File("../../docs/src/main/sphinx/security/authorization.json"), ImmutableMap.of());
        CatalogSchemaName catalogSchemaName = new CatalogSchemaName("catalog", "schema");
        CatalogSchemaTableName catalogSchemaTableName = new CatalogSchemaTableName("catalog", "schema", "table_or_view");
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(ADMIN, catalogSchemaName, new TrinoPrincipal(PrincipalType.USER, "alice"));
        newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(ADMIN, catalogSchemaName, new TrinoPrincipal(PrincipalType.ROLE, "role"));
        newFileBasedSystemAccessControl.checkCanSetTableAuthorization(ADMIN, catalogSchemaTableName, new TrinoPrincipal(PrincipalType.USER, "alice"));
        newFileBasedSystemAccessControl.checkCanSetTableAuthorization(ADMIN, catalogSchemaTableName, new TrinoPrincipal(PrincipalType.ROLE, "role"));
        newFileBasedSystemAccessControl.checkCanSetViewAuthorization(ADMIN, catalogSchemaTableName, new TrinoPrincipal(PrincipalType.USER, "alice"));
        newFileBasedSystemAccessControl.checkCanSetViewAuthorization(ADMIN, catalogSchemaTableName, new TrinoPrincipal(PrincipalType.ROLE, "role"));
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetSchemaAuthorization(ADMIN, catalogSchemaName, new TrinoPrincipal(PrincipalType.USER, "bob"));
        }, "Cannot set authorization for schema catalog.schema to USER bob");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetTableAuthorization(ADMIN, catalogSchemaTableName, new TrinoPrincipal(PrincipalType.USER, "bob"));
        }, "Cannot set authorization for table catalog.schema.table_or_view to USER bob");
        assertAccessDenied(() -> {
            newFileBasedSystemAccessControl.checkCanSetViewAuthorization(ADMIN, catalogSchemaTableName, new TrinoPrincipal(PrincipalType.USER, "bob"));
        }, "Cannot set authorization for view catalog.schema.table_or_view to USER bob");
    }

    private static SystemSecurityContext user(String str, String str2, String str3) {
        return new SystemSecurityContext(Identity.forUser(str).withGroups(ImmutableSet.of(str2)).withEnabledRoles(ImmutableSet.of(str3)).build(), queryId, queryStart);
    }

    @Test
    public void parseUnknownRules() {
        Assertions.assertThatThrownBy(() -> {
            newFileBasedSystemAccessControl("file-based-system-security-config-file-with-unknown-rules.json");
        }).hasMessageContaining("Failed to convert JSON tree node");
    }

    @Test
    public void testTableRulesForCheckCanInsertIntoTableWithJsonPointer() {
        assertTableRulesForCheckCanInsertIntoTable(newFileBasedSystemAccessControl(new File(getResourcePath("file-based-system-access-table-with-json-pointer.json")), ImmutableMap.of("security.json-pointer", "/data")));
    }

    protected SystemAccessControl newFileBasedSystemAccessControl(String str) {
        return newFileBasedSystemAccessControl(new File(getResourcePath(str)), ImmutableMap.of());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SystemAccessControl newFileBasedSystemAccessControl(Map<String, String> map) {
        return new FileBasedSystemAccessControl.Factory().create(map);
    }

    protected String getResourcePath(String str) {
        return ((URL) Objects.requireNonNull(getClass().getClassLoader().getResource(str), "Resource does not exist: " + str)).getPath();
    }

    private static void assertAccessDenied(ThrowableAssert.ThrowingCallable throwingCallable, String str) {
        Assertions.assertThatThrownBy(throwingCallable).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: " + str);
    }
}
