package org.apache.drill.exec.impersonation;

import com.google.common.collect.Maps;
import java.util.HashMap;
import java.util.Map;
import org.apache.drill.categories.SecurityTest;
import org.apache.drill.categories.SlowTest;
import org.apache.drill.common.exceptions.UserRemoteException;
import org.apache.drill.common.util.DrillFileUtils;
import org.apache.drill.exec.store.StoragePluginRegistry;
import org.apache.drill.exec.store.avro.AvroDataGenerator;
import org.apache.drill.exec.store.dfs.WorkspaceConfig;
import org.apache.drill.exec.util.StoragePluginTestUtils;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsPermission;
import org.hamcrest.MatcherAssert;
import org.hamcrest.core.StringContains;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.experimental.categories.Category;

@Category({SlowTest.class, SecurityTest.class})
/* loaded from: input_file:org/apache/drill/exec/impersonation/TestImpersonationQueries.class */
public class TestImpersonationQueries extends BaseTestImpersonation {
    @BeforeClass
    public static void setup() throws Exception {
        startMiniDfsCluster(TestImpersonationQueries.class.getSimpleName());
        startDrillCluster(true);
        addMiniDfsBasedStorage(createTestWorkspaces());
        createTestData();
    }

    private static void createTestData() throws Exception {
        createTestTable(org1Users[0], org1Groups[0], "lineitem");
        createTestTable(org2Users[0], org2Groups[0], "orders");
        createNestedTestViewsOnLineItem();
        createNestedTestViewsOnOrders();
        createRecordReadersData(org1Users[0], org1Groups[0]);
    }

    private static Map<String, WorkspaceConfig> createTestWorkspaces() throws Exception {
        Path path = new Path("/tmp");
        fs.delete(path, true);
        FileSystem.mkdirs(fs, path, new FsPermission((short) 511));
        HashMap newHashMap = Maps.newHashMap();
        for (int i = 0; i < org1Users.length; i++) {
            String str = org1Users[i];
            createAndAddWorkspace(str, getUserHome(str), (short) 493, str, org1Groups[i], newHashMap);
        }
        for (int i2 = 0; i2 < org2Users.length; i2++) {
            String str2 = org2Users[i2];
            createAndAddWorkspace(str2, getUserHome(str2), (short) 493, str2, org2Groups[i2], newHashMap);
        }
        return newHashMap;
    }

    private static void createTestTable(String str, String str2, String str3) throws Exception {
        updateClient(str);
        test("USE " + getWSSchema(str));
        test("CREATE TABLE %s as SELECT * FROM cp.`tpch/%s.parquet`", str3, str3);
        Path path = new Path(getUserHome(str), str3);
        fs.setOwner(path, str, str2);
        fs.setPermission(path, new FsPermission((short) 488));
    }

    private static void createNestedTestViewsOnLineItem() throws Exception {
        createView(org1Users[1], org1Groups[1], (short) 488, "u1_lineitem", getWSSchema(org1Users[0]), "lineitem");
        createView(org1Users[2], org1Groups[2], (short) 488, "u2_lineitem", getWSSchema(org1Users[1]), "u1_lineitem");
        createView(org1Users[2], org1Groups[2], (short) 488, "u22_lineitem", getWSSchema(org1Users[2]), "u2_lineitem");
        createView(org1Users[3], org1Groups[3], (short) 488, "u3_lineitem", getWSSchema(org1Users[2]), "u22_lineitem");
        createView(org1Users[4], org1Groups[4], (short) 493, "u4_lineitem", getWSSchema(org1Users[3]), "u3_lineitem");
    }

    private static void createNestedTestViewsOnOrders() throws Exception {
        createView(org2Users[1], org2Groups[1], (short) 488, "u1_orders", getWSSchema(org2Users[0]), "orders");
        createView(org2Users[2], org2Groups[2], (short) 488, "u2_orders", getWSSchema(org2Users[1]), "u1_orders");
        createView(org2Users[2], org2Groups[2], (short) 488, "u22_orders", getWSSchema(org2Users[2]), "u2_orders");
        createView(org2Users[3], org2Groups[3], (short) 493, "u3_orders", getWSSchema(org2Users[2]), "u22_orders");
        createView(org2Users[4], org2Groups[4], (short) 493, "u4_orders", getWSSchema(org2Users[3]), "u3_orders");
    }

    private static void createRecordReadersData(String str, String str2) throws Exception {
        updateClient(str);
        Path path = new Path(DrillFileUtils.getResourceAsFile("/sequencefiles/simple.seq").toURI().toString());
        Path path2 = new Path(getUserHome(str), "simple.seq");
        fs.copyFromLocalFile(path, path2);
        fs.setOwner(path2, str, str2);
        fs.setPermission(path2, new FsPermission((short) 448));
        Path path3 = new Path(new AvroDataGenerator(dirTestWatcher).generateSimplePrimitiveSchema_NoNullValues().getFilePath());
        Path path4 = new Path(getUserHome(str), "simple.avro");
        fs.copyFromLocalFile(path3, path4);
        fs.setOwner(path4, str, str2);
        fs.setPermission(path4, new FsPermission((short) 448));
    }

    @Test
    public void testDirectImpersonation_HasUserReadPermissions() throws Exception {
        updateClient(org1Users[0]);
        test("SELECT * FROM %s.lineitem ORDER BY l_orderkey LIMIT 1", getWSSchema(org1Users[0]));
    }

    @Test
    public void testDirectImpersonation_HasGroupReadPermissions() throws Exception {
        updateClient(org1Users[1]);
        test("SELECT * FROM %s.lineitem ORDER BY l_orderkey LIMIT 1", getWSSchema(org1Users[0]));
    }

    @Test
    public void testDirectImpersonation_NoReadPermissions() throws Exception {
        UserRemoteException userRemoteException = null;
        try {
            updateClient(org1Users[2]);
            test("SELECT * FROM %s.lineitem ORDER BY l_orderkey LIMIT 1", getWSSchema(org1Users[0]));
        } catch (UserRemoteException e) {
            userRemoteException = e;
        }
        Assert.assertNotNull("UserRemoteException is expected", userRemoteException);
        MatcherAssert.assertThat(userRemoteException.getMessage(), StringContains.containsString("PERMISSION ERROR: " + String.format("Not authorized to read table [lineitem] in schema [%s.user0_1]", "mini_dfs_plugin")));
    }

    @Test
    public void testMultiLevelImpersonationEqualToMaxUserHops() throws Exception {
        updateClient(org1Users[4]);
        test("SELECT * from %s.u4_lineitem LIMIT 1;", getWSSchema(org1Users[4]));
    }

    @Test
    public void testMultiLevelImpersonationExceedsMaxUserHops() throws Exception {
        UserRemoteException userRemoteException = null;
        try {
            updateClient(org1Users[5]);
            test("SELECT * from %s.u4_lineitem LIMIT 1;", getWSSchema(org1Users[4]));
        } catch (UserRemoteException e) {
            userRemoteException = e;
        }
        Assert.assertNotNull("UserRemoteException is expected", userRemoteException);
        MatcherAssert.assertThat(userRemoteException.getMessage(), StringContains.containsString("Cannot issue token for view expansion as issuing the token exceeds the maximum allowed number of user hops (3) in chained impersonation"));
    }

    @Test
    public void testMultiLevelImpersonationJoinEachSideReachesMaxUserHops() throws Exception {
        updateClient(org1Users[4]);
        test("SELECT * from %s.u4_lineitem l JOIN %s.u3_orders o ON l.l_orderkey = o.o_orderkey LIMIT 1", getWSSchema(org1Users[4]), getWSSchema(org2Users[3]));
    }

    @Test
    public void testMultiLevelImpersonationJoinOneSideExceedsMaxUserHops() throws Exception {
        UserRemoteException userRemoteException = null;
        try {
            updateClient(org1Users[4]);
            test("SELECT * from %s.u4_lineitem l JOIN %s.u4_orders o ON l.l_orderkey = o.o_orderkey LIMIT 1", getWSSchema(org1Users[4]), getWSSchema(org2Users[4]));
        } catch (UserRemoteException e) {
            userRemoteException = e;
        }
        Assert.assertNotNull("UserRemoteException is expected", userRemoteException);
        MatcherAssert.assertThat(userRemoteException.getMessage(), StringContains.containsString("Cannot issue token for view expansion as issuing the token exceeds the maximum allowed number of user hops (3) in chained impersonation"));
    }

    @Test
    public void sequenceFileChainedImpersonationWithView() throws Exception {
        createView(org1Users[0], org1Groups[0], "simple_seq_view", String.format("SELECT convert_from(t.binary_key, 'UTF8') as k FROM %s.`%s` t", "mini_dfs_plugin", new Path(getUserHome(org1Users[0]), "simple.seq")));
        try {
            updateClient(org1Users[1]);
            test("SELECT k FROM %s.%s.%s", "mini_dfs_plugin", StoragePluginTestUtils.TMP_SCHEMA, "simple_seq_view");
        } catch (UserRemoteException e) {
            Assert.assertNull("This test should pass.", e);
        }
        createView(org1Users[1], org1Groups[1], "simple_seq_view_2", String.format("SELECT k FROM %s.%s.%s", "mini_dfs_plugin", StoragePluginTestUtils.TMP_SCHEMA, "simple_seq_view"));
        try {
            updateClient(org1Users[2]);
            test("SELECT k FROM %s.%s.%s", "mini_dfs_plugin", StoragePluginTestUtils.TMP_SCHEMA, "simple_seq_view_2");
        } catch (UserRemoteException e2) {
            Assert.assertNull("This test should pass.", e2);
        }
    }

    @Test
    public void avroChainedImpersonationWithView() throws Exception {
        createView(org1Users[0], org1Groups[0], "simple_avro_view", String.format("SELECT h_boolean, e_double FROM %s.`%s` t", "mini_dfs_plugin", new Path(getUserHome(org1Users[0]), "simple.avro")));
        updateClient(org1Users[1]);
        test("SELECT h_boolean FROM %s.%s.%s", "mini_dfs_plugin", StoragePluginTestUtils.TMP_SCHEMA, "simple_avro_view");
    }

    @Test
    public void testCTEWithImpersonation() throws Exception {
        updateClient(org1Users[2]);
        test("use %s", getWSSchema(org1Users[0]));
        testBuilder().sqlQuery("with lineitem as (SELECT 1 as a) select * from lineitem").unOrdered().baselineColumns("a").baselineValues(1).go();
    }

    @AfterClass
    public static void removeMiniDfsBasedStorage() throws StoragePluginRegistry.PluginException {
        getDrillbitContext().getStorage().remove("mini_dfs_plugin");
        stopMiniDfsCluster();
    }
}
