package com.facebook.presto.tests.hive;

import com.facebook.presto.tests.TestGroups;
import com.facebook.presto.tests.utils.QueryExecutors;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import io.airlift.log.Logger;
import io.prestodb.tempto.AfterTestWithContext;
import io.prestodb.tempto.BeforeTestWithContext;
import io.prestodb.tempto.ProductTest;
import io.prestodb.tempto.assertions.QueryAssert;
import io.prestodb.tempto.context.ContextDsl;
import io.prestodb.tempto.query.QueryExecutor;
import io.prestodb.tempto.sql.SqlContexts;
import java.util.Collection;
import java.util.Set;
import java.util.stream.Collectors;
import org.testng.annotations.Test;

/* loaded from: input_file:com/facebook/presto/tests/hive/TestGrantRevoke.class */
public class TestGrantRevoke extends ProductTest {
    private static final Set<String> PREDEFINED_ROLES = ImmutableSet.of("admin", "public");
    private String tableName;
    private String viewName;
    private QueryExecutor aliceExecutor;
    private QueryExecutor bobExecutor;

    @BeforeTestWithContext
    public void setup() {
        this.tableName = "alice_owned_table";
        this.viewName = "alice_view";
        this.aliceExecutor = QueryExecutors.connectToPresto("alice@presto");
        this.bobExecutor = QueryExecutors.connectToPresto("bob@presto");
        this.aliceExecutor.executeQuery(String.format("DROP TABLE IF EXISTS %s", this.tableName), new QueryExecutor.QueryParam[0]);
        this.aliceExecutor.executeQuery(String.format("CREATE TABLE %s(month bigint, day bigint)", this.tableName), new QueryExecutor.QueryParam[0]);
        QueryExecutors.onPresto().executeQuery("SET ROLE admin", new QueryExecutor.QueryParam[0]);
        QueryExecutors.onHive().executeQuery("SET ROLE admin", new QueryExecutor.QueryParam[0]);
        assertAccessDeniedOnAllOperationsOnTable(this.bobExecutor, this.tableName);
    }

    @AfterTestWithContext
    public void cleanup() {
        try {
            this.aliceExecutor.executeQuery(String.format("DROP TABLE IF EXISTS %s", this.tableName), new QueryExecutor.QueryParam[0]);
            this.aliceExecutor.executeQuery(String.format("DROP VIEW IF EXISTS %s", this.viewName), new QueryExecutor.QueryParam[0]);
            cleanupRoles();
        } catch (Exception e) {
            Logger.get(getClass()).warn(e, "failed to drop table/view");
        }
    }

    @Test(groups = {TestGroups.AUTHORIZATION, TestGroups.PROFILE_SPECIFIC_TESTS})
    private void cleanupRoles() {
        for (String str : listRoles()) {
            if (!PREDEFINED_ROLES.contains(str)) {
                QueryExecutors.onHive().executeQuery(String.format("DROP ROLE %s", str), new QueryExecutor.QueryParam[0]);
            }
        }
    }

    private Set<String> listRoles() {
        return ImmutableSet.copyOf((Collection) QueryExecutors.onHive().executeQuery("SHOW ROLES", new QueryExecutor.QueryParam[0]).rows().stream().map(list -> {
            return list.get(0).toString();
        }).collect(Collectors.toSet()));
    }

    @Test(groups = {TestGroups.AUTHORIZATION, TestGroups.PROFILE_SPECIFIC_TESTS})
    public void testGrantRevoke() {
        this.aliceExecutor.executeQuery(String.format("GRANT SELECT ON %s TO bob WITH GRANT OPTION", this.tableName), new QueryExecutor.QueryParam[0]);
        QueryAssert.assertThat(this.bobExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0])).hasNoRows();
        this.aliceExecutor.executeQuery(String.format("GRANT INSERT, SELECT ON %s TO bob", this.tableName), new QueryExecutor.QueryParam[0]);
        QueryAssert.assertThat(this.bobExecutor.executeQuery(String.format("INSERT INTO %s VALUES (3, 22)", this.tableName), new QueryExecutor.QueryParam[0])).hasRowsCount(1);
        QueryAssert.assertThat(this.bobExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0])).hasRowsCount(1);
        QueryAssert.assertThat(() -> {
            return this.bobExecutor.executeQuery(String.format("DELETE FROM %s WHERE day=3", this.tableName), new QueryExecutor.QueryParam[0]);
        }).failsWithMessage(String.format("Access Denied: Cannot delete from table default.%s", this.tableName));
        this.aliceExecutor.executeQuery(String.format("REVOKE INSERT ON %s FROM bob", this.tableName), new QueryExecutor.QueryParam[0]);
        QueryAssert.assertThat(() -> {
            return this.bobExecutor.executeQuery(String.format("INSERT INTO %s VALUES ('y', 5)", this.tableName), new QueryExecutor.QueryParam[0]);
        }).failsWithMessage(String.format("Access Denied: Cannot insert into table default.%s", this.tableName));
        QueryAssert.assertThat(this.bobExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0])).hasRowsCount(1);
        this.aliceExecutor.executeQuery(String.format("REVOKE INSERT, SELECT ON %s FROM bob", this.tableName), new QueryExecutor.QueryParam[0]);
        QueryAssert.assertThat(() -> {
            return this.bobExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0]);
        }).failsWithMessage(String.format("Access Denied: Cannot select from table default.%s", this.tableName));
    }

    @Test(groups = {TestGroups.AUTHORIZATION, TestGroups.PROFILE_SPECIFIC_TESTS})
    public void testShowGrants() {
        QueryExecutors.onPresto().executeQuery("CREATE ROLE role1", new QueryExecutor.QueryParam[0]);
        QueryExecutors.onPresto().executeQuery(String.format("GRANT SELECT ON %s TO ROLE role1", this.tableName), new QueryExecutor.QueryParam[0]);
        QueryExecutors.onPresto().executeQuery("GRANT role1 TO USER bob", new QueryExecutor.QueryParam[0]);
        this.aliceExecutor.executeQuery(String.format("GRANT SELECT ON %s TO bob WITH GRANT OPTION", this.tableName), new QueryExecutor.QueryParam[0]);
        this.aliceExecutor.executeQuery(String.format("GRANT INSERT ON %s TO bob", this.tableName), new QueryExecutor.QueryParam[0]);
        QueryAssert.assertThat(this.bobExecutor.executeQuery(String.format("SHOW GRANTS ON %s", this.tableName), new QueryExecutor.QueryParam[0])).containsOnly(ImmutableList.of(QueryAssert.Row.row(new Object[]{"alice", "USER", "bob", "USER", "hive", "default", "alice_owned_table", "SELECT", "YES", null}), QueryAssert.Row.row(new Object[]{"alice", "USER", "bob", "USER", "hive", "default", "alice_owned_table", "INSERT", "NO", null}), QueryAssert.Row.row(new Object[]{"hdfs", "USER", "role1", "ROLE", "hive", "default", "alice_owned_table", "SELECT", "NO", null})));
    }

    @Test(groups = {TestGroups.AUTHORIZATION, TestGroups.PROFILE_SPECIFIC_TESTS})
    public void testAll() {
        this.aliceExecutor.executeQuery(String.format("GRANT ALL PRIVILEGES ON %s TO USER bob", this.tableName), new QueryExecutor.QueryParam[0]);
        QueryAssert.assertThat(this.bobExecutor.executeQuery(String.format("INSERT INTO %s VALUES (4, 13)", this.tableName), new QueryExecutor.QueryParam[0])).hasRowsCount(1);
        QueryAssert.assertThat(this.bobExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0])).hasRowsCount(1);
        this.bobExecutor.executeQuery(String.format("DELETE FROM %s", this.tableName), new QueryExecutor.QueryParam[0]);
        QueryAssert.assertThat(this.bobExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0])).hasNoRows();
        this.aliceExecutor.executeQuery(String.format("REVOKE ALL PRIVILEGES ON %s FROM USER bob", this.tableName), new QueryExecutor.QueryParam[0]);
        assertAccessDeniedOnAllOperationsOnTable(this.bobExecutor, this.tableName);
        QueryAssert.assertThat(this.bobExecutor.executeQuery(String.format("SHOW GRANTS ON %s", this.tableName), new QueryExecutor.QueryParam[0])).hasNoRows();
    }

    @Test(groups = {TestGroups.AUTHORIZATION, TestGroups.PROFILE_SPECIFIC_TESTS})
    public void testPublic() {
        this.aliceExecutor.executeQuery(String.format("GRANT SELECT ON %s TO ROLE PUBLIC", this.tableName), new QueryExecutor.QueryParam[0]);
        QueryAssert.assertThat(this.bobExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0])).hasNoRows();
        this.aliceExecutor.executeQuery(String.format("REVOKE SELECT ON %s FROM ROLE PUBLIC", this.tableName), new QueryExecutor.QueryParam[0]);
        QueryAssert.assertThat(() -> {
            return this.bobExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0]);
        }).failsWithMessage(String.format("Access Denied: Cannot select from table default.%s", this.tableName));
        QueryAssert.assertThat(this.aliceExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0])).hasNoRows();
    }

    @Test(groups = {TestGroups.AUTHORIZATION, TestGroups.PROFILE_SPECIFIC_TESTS})
    public void testCustomRole() {
        QueryExecutors.onPresto().executeQuery("CREATE ROLE role1", new QueryExecutor.QueryParam[0]);
        QueryExecutors.onPresto().executeQuery("GRANT role1 TO USER bob", new QueryExecutor.QueryParam[0]);
        this.aliceExecutor.executeQuery(String.format("GRANT SELECT ON %s TO ROLE role1", this.tableName), new QueryExecutor.QueryParam[0]);
        QueryAssert.assertThat(this.bobExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0])).hasNoRows();
        this.aliceExecutor.executeQuery(String.format("REVOKE SELECT ON %s FROM ROLE role1", this.tableName), new QueryExecutor.QueryParam[0]);
        QueryAssert.assertThat(() -> {
            return this.bobExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0]);
        }).failsWithMessage(String.format("Access Denied: Cannot select from table default.%s", this.tableName));
        QueryAssert.assertThat(this.aliceExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0])).hasNoRows();
    }

    @Test(groups = {TestGroups.AUTHORIZATION, TestGroups.PROFILE_SPECIFIC_TESTS})
    public void testTransitiveRole() {
        QueryExecutors.onPresto().executeQuery("CREATE ROLE role1", new QueryExecutor.QueryParam[0]);
        QueryExecutors.onPresto().executeQuery("CREATE ROLE role2", new QueryExecutor.QueryParam[0]);
        QueryExecutors.onPresto().executeQuery("GRANT role1 TO USER bob", new QueryExecutor.QueryParam[0]);
        QueryExecutors.onPresto().executeQuery("GRANT role2 TO ROLE role1", new QueryExecutor.QueryParam[0]);
        this.aliceExecutor.executeQuery(String.format("GRANT SELECT ON %s TO ROLE role2", this.tableName), new QueryExecutor.QueryParam[0]);
        QueryAssert.assertThat(this.bobExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0])).hasNoRows();
        this.aliceExecutor.executeQuery(String.format("REVOKE SELECT ON %s FROM ROLE role2", this.tableName), new QueryExecutor.QueryParam[0]);
        QueryAssert.assertThat(() -> {
            return this.bobExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0]);
        }).failsWithMessage(String.format("Access Denied: Cannot select from table default.%s", this.tableName));
        QueryAssert.assertThat(this.aliceExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0])).hasNoRows();
    }

    @Test(groups = {TestGroups.AUTHORIZATION, TestGroups.PROFILE_SPECIFIC_TESTS})
    public void testDropRoleWithPermissionsGranted() {
        QueryExecutors.onPresto().executeQuery("CREATE ROLE role1", new QueryExecutor.QueryParam[0]);
        QueryExecutors.onPresto().executeQuery("GRANT role1 TO USER bob", new QueryExecutor.QueryParam[0]);
        this.aliceExecutor.executeQuery(String.format("GRANT SELECT ON %s TO ROLE role1", this.tableName), new QueryExecutor.QueryParam[0]);
        QueryAssert.assertThat(this.bobExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0])).hasNoRows();
        QueryExecutors.onPresto().executeQuery("DROP ROLE role1", new QueryExecutor.QueryParam[0]);
        QueryAssert.assertThat(() -> {
            return this.bobExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0]);
        }).failsWithMessage(String.format("Access Denied: Cannot select from table default.%s", this.tableName));
        QueryAssert.assertThat(this.aliceExecutor.executeQuery(String.format("SELECT * FROM %s", this.tableName), new QueryExecutor.QueryParam[0])).hasNoRows();
    }

    @Test(groups = {TestGroups.AUTHORIZATION, TestGroups.PROFILE_SPECIFIC_TESTS})
    public void testTableOwnerPrivileges() {
        QueryExecutors.onHive().executeQuery("set role admin;", new QueryExecutor.QueryParam[0]);
        QueryAssert.assertThat(QueryExecutors.onHive().executeQuery(String.format("SHOW GRANT USER alice ON TABLE %s", this.tableName), new QueryExecutor.QueryParam[0]).project(new int[]{7, 8})).containsOnly(ownerGrants());
    }

    @Test(groups = {TestGroups.AUTHORIZATION, TestGroups.PROFILE_SPECIFIC_TESTS})
    public void testViewOwnerPrivileges() {
        QueryExecutors.onHive().executeQuery("set role admin;", new QueryExecutor.QueryParam[0]);
        ContextDsl.executeWith(SqlContexts.createViewAs(this.viewName, String.format("SELECT * FROM %s", this.tableName), this.aliceExecutor), view -> {
            QueryAssert.assertThat(QueryExecutors.onHive().executeQuery(String.format("SHOW GRANT USER alice ON %s", this.viewName), new QueryExecutor.QueryParam[0]).project(new int[]{7, 8})).containsOnly(ownerGrants());
        });
    }

    private ImmutableList<QueryAssert.Row> ownerGrants() {
        return ImmutableList.of(QueryAssert.Row.row(new Object[]{"SELECT", Boolean.TRUE}), QueryAssert.Row.row(new Object[]{"INSERT", Boolean.TRUE}), QueryAssert.Row.row(new Object[]{"UPDATE", Boolean.TRUE}), QueryAssert.Row.row(new Object[]{"DELETE", Boolean.TRUE}));
    }

    private static void assertAccessDeniedOnAllOperationsOnTable(QueryExecutor queryExecutor, String str) {
        QueryAssert.assertThat(() -> {
            return queryExecutor.executeQuery(String.format("SELECT * FROM %s", str), new QueryExecutor.QueryParam[0]);
        }).failsWithMessage(String.format("Access Denied: Cannot select from table default.%s", str));
        QueryAssert.assertThat(() -> {
            return queryExecutor.executeQuery(String.format("INSERT INTO %s VALUES (3, 22)", str), new QueryExecutor.QueryParam[0]);
        }).failsWithMessage(String.format("Access Denied: Cannot insert into table default.%s", str));
        QueryAssert.assertThat(() -> {
            return queryExecutor.executeQuery(String.format("DELETE FROM %s WHERE day=3", str), new QueryExecutor.QueryParam[0]);
        }).failsWithMessage(String.format("Access Denied: Cannot delete from table default.%s", str));
    }
}
