package io.trino.plugin.hive.s3;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.io.Resources;
import io.trino.hadoop.ConfigurationInstantiator;
import io.trino.hdfs.DynamicConfigurationProvider;
import io.trino.hdfs.HdfsContext;
import io.trino.plugin.hive.HiveConfig;
import io.trino.plugin.hive.HiveSessionProperties;
import io.trino.plugin.hive.HiveTestUtils;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.ConnectorIdentity;
import io.trino.testing.TestingConnectorSession;
import java.util.Collection;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.assertj.core.api.Assertions;
import org.testng.Assert;
import org.testng.annotations.Test;

/* loaded from: input_file:io/trino/plugin/hive/s3/TestS3SecurityMapping.class */
public class TestS3SecurityMapping {
    private static final HiveSessionProperties HIVE_SESSION_PROPERTIES = HiveTestUtils.getHiveSessionProperties(new HiveConfig());
    private static final String IAM_ROLE_CREDENTIAL_NAME = "IAM_ROLE_CREDENTIAL_NAME";
    private static final String KMS_KEY_ID_CREDENTIAL_NAME = "KMS_KEY_ID_CREDENTIAL_NAME";
    private static final String DEFAULT_PATH = "s3://default";
    private static final String DEFAULT_USER = "testuser";

    /* loaded from: input_file:io/trino/plugin/hive/s3/TestS3SecurityMapping$MappingResult.class */
    public static class MappingResult {
        private final Optional<String> accessKey;
        private final Optional<String> secretKey;
        private final Optional<String> role;
        private final Optional<String> kmsKeyId;
        private final Optional<String> endpoint;
        private final Optional<String> roleSessionName;

        public static MappingResult credentials(String str, String str2) {
            return new MappingResult(Optional.of(str), Optional.of(str2), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty());
        }

        public static MappingResult role(String str) {
            return new MappingResult(Optional.empty(), Optional.empty(), Optional.of(str), Optional.empty(), Optional.empty(), Optional.empty());
        }

        public static MappingResult clusterDefaultRole() {
            return new MappingResult(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty());
        }

        public static MappingResult endpoint(String str) {
            return new MappingResult(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.of(str), Optional.empty());
        }

        private MappingResult(Optional<String> optional, Optional<String> optional2, Optional<String> optional3, Optional<String> optional4, Optional<String> optional5, Optional<String> optional6) {
            this.accessKey = (Optional) Objects.requireNonNull(optional, "accessKey is null");
            this.secretKey = (Optional) Objects.requireNonNull(optional2, "secretKey is null");
            this.role = (Optional) Objects.requireNonNull(optional3, "role is null");
            this.kmsKeyId = (Optional) Objects.requireNonNull(optional4, "kmsKeyId is null");
            this.endpoint = (Optional) Objects.requireNonNull(optional5, "endpoint is null");
            this.roleSessionName = (Optional) Objects.requireNonNull(optional6, "roleSessionName is null");
        }

        public MappingResult withEndpoint(String str) {
            return new MappingResult(this.accessKey, this.secretKey, this.role, this.kmsKeyId, Optional.of(str), Optional.empty());
        }

        public MappingResult withKmsKeyId(String str) {
            return new MappingResult(this.accessKey, this.secretKey, this.role, Optional.of(str), this.endpoint, Optional.empty());
        }

        public MappingResult withRoleSessionName(String str) {
            return new MappingResult(this.accessKey, this.secretKey, this.role, this.kmsKeyId, Optional.empty(), Optional.of(str));
        }

        public Optional<String> getAccessKey() {
            return this.accessKey;
        }

        public Optional<String> getSecretKey() {
            return this.secretKey;
        }

        public Optional<String> getRole() {
            return this.role;
        }

        public Optional<String> getKmsKeyId() {
            return this.kmsKeyId;
        }

        public Optional<String> getEndpoint() {
            return this.endpoint;
        }

        public Optional<String> getRoleSessionName() {
            return this.roleSessionName;
        }
    }

    /* loaded from: input_file:io/trino/plugin/hive/s3/TestS3SecurityMapping$MappingSelector.class */
    public static class MappingSelector {
        private final String user;
        private final Set<String> groups;
        private final Path path;
        private final Optional<String> extraCredentialIamRole;
        private final Optional<String> extraCredentialKmsKeyId;

        public static MappingSelector empty() {
            return path(TestS3SecurityMapping.DEFAULT_PATH);
        }

        public static MappingSelector path(String str) {
            return new MappingSelector(TestS3SecurityMapping.DEFAULT_USER, ImmutableSet.of(), new Path(str), Optional.empty(), Optional.empty());
        }

        private MappingSelector(String str, Set<String> set, Path path, Optional<String> optional, Optional<String> optional2) {
            this.user = (String) Objects.requireNonNull(str, "user is null");
            this.groups = ImmutableSet.copyOf((Collection) Objects.requireNonNull(set, "groups is null"));
            this.path = (Path) Objects.requireNonNull(path, "path is null");
            this.extraCredentialIamRole = (Optional) Objects.requireNonNull(optional, "extraCredentialIamRole is null");
            this.extraCredentialKmsKeyId = (Optional) Objects.requireNonNull(optional2, "extraCredentialKmsKeyId is null");
        }

        public Path getPath() {
            return this.path;
        }

        public MappingSelector withExtraCredentialIamRole(String str) {
            return new MappingSelector(this.user, this.groups, this.path, Optional.of(str), this.extraCredentialKmsKeyId);
        }

        public MappingSelector withExtraCredentialKmsKeyId(String str) {
            return new MappingSelector(this.user, this.groups, this.path, this.extraCredentialIamRole, Optional.of(str));
        }

        public MappingSelector withUser(String str) {
            return new MappingSelector(str, this.groups, this.path, this.extraCredentialIamRole, this.extraCredentialKmsKeyId);
        }

        public MappingSelector withGroups(String... strArr) {
            return new MappingSelector(this.user, ImmutableSet.copyOf(strArr), this.path, this.extraCredentialIamRole, this.extraCredentialKmsKeyId);
        }

        public HdfsContext getHdfsContext() {
            ImmutableMap.Builder builder = ImmutableMap.builder();
            this.extraCredentialIamRole.ifPresent(str -> {
                builder.put(TestS3SecurityMapping.IAM_ROLE_CREDENTIAL_NAME, str);
            });
            this.extraCredentialKmsKeyId.ifPresent(str2 -> {
                builder.put(TestS3SecurityMapping.KMS_KEY_ID_CREDENTIAL_NAME, str2);
            });
            return new HdfsContext(TestingConnectorSession.builder().setIdentity(ConnectorIdentity.forUser(this.user).withGroups(this.groups).withExtraCredentials(builder.buildOrThrow()).build()).setPropertyMetadata(TestS3SecurityMapping.HIVE_SESSION_PROPERTIES.getSessionProperties()).build());
        }
    }

    @Test
    public void testMapping() {
        S3SecurityMappingConfig colonReplacement = new S3SecurityMappingConfig().setConfigFilePath(Resources.getResource(getClass(), "security-mapping.json").getPath()).setRoleCredentialName(IAM_ROLE_CREDENTIAL_NAME).setKmsKeyIdCredentialName(KMS_KEY_ID_CREDENTIAL_NAME).setColonReplacement("#");
        S3SecurityMappingConfigurationProvider s3SecurityMappingConfigurationProvider = new S3SecurityMappingConfigurationProvider(colonReplacement, new FileBasedS3SecurityMappingsProvider(colonReplacement));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://foo/data/test.csv"), MappingResult.credentials("AKIAxxxaccess", "iXbXxxxsecret").withKmsKeyId("kmsKey_10"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://foo"), MappingResult.credentials("AKIAxxxaccess", "iXbXxxxsecret").withKmsKeyId("kmsKey_10"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://foo").withExtraCredentialKmsKeyId("kmsKey_10"), MappingResult.credentials("AKIAxxxaccess", "iXbXxxxsecret").withKmsKeyId("kmsKey_10"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://foo").withExtraCredentialKmsKeyId("kmsKey_11"), MappingResult.credentials("AKIAxxxaccess", "iXbXxxxsecret").withKmsKeyId("kmsKey_11"));
        assertMappingFails(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://foo").withExtraCredentialKmsKeyId("kmsKey_not_allowed"), "Selected KMS Key ID is not allowed");
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://foo_all_keys_allowed").withExtraCredentialKmsKeyId("kmsKey_777"), MappingResult.credentials("AKIAxxxaccess", "iXbXxxxsecret").withKmsKeyId("kmsKey_777"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://foo_no_default_key").withExtraCredentialKmsKeyId("kmsKey_12"), MappingResult.credentials("AKIAxxxaccess", "iXbXxxxsecret").withKmsKeyId("kmsKey_12"));
        assertMappingFails(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://bar/test"), "No S3 role selected and mapping has no default role");
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://bar/test").withExtraCredentialIamRole("arn:aws:iam::123456789101:role/allow_bucket_2"), MappingResult.role("arn:aws:iam::123456789101:role/allow_bucket_2"));
        assertMappingFails(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://bar/test").withUser("bob").withExtraCredentialIamRole("bogus"), "Selected S3 role is not allowed: bogus");
        Assertions.assertThat("arn#aws#iam##123456789101#role/allow_bucket_2").doesNotContain(new CharSequence[]{":"});
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://bar/test").withExtraCredentialIamRole("arn#aws#iam##123456789101#role/allow_bucket_2"), MappingResult.role("arn:aws:iam::123456789101:role/allow_bucket_2"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://bar/abc/data/test.csv"), MappingResult.role("arn:aws:iam::123456789101:role/allow_path"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.empty(), MappingResult.role("arn:aws:iam::123456789101:role/default"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://xyz/default"), MappingResult.role("arn:aws:iam::123456789101:role/allow_default"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://xyz/foo").withExtraCredentialIamRole("arn:aws:iam::123456789101:role/allow_foo"), MappingResult.role("arn:aws:iam::123456789101:role/allow_foo"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://xyz/bar").withExtraCredentialIamRole("arn:aws:iam::123456789101:role/allow_bar"), MappingResult.role("arn:aws:iam::123456789101:role/allow_bar"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.empty().withUser("alice"), MappingResult.role("alice_role"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.empty().withUser("alice").withExtraCredentialIamRole("alice_role"), MappingResult.role("alice_role"));
        assertMappingFails(s3SecurityMappingConfigurationProvider, MappingSelector.empty().withUser("alice").withExtraCredentialIamRole("bogus"), "Selected S3 role is not allowed: bogus");
        assertMappingFails(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://bar/test").withUser("alice").withExtraCredentialIamRole("alice_role"), "Selected S3 role is not allowed: alice_role");
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.empty().withUser("bob"), MappingResult.role("bob_and_charlie_role"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.empty().withGroups("finance"), MappingResult.role("finance_role"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.empty().withGroups("eng"), MappingResult.role("hr_and_eng_group"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.empty().withUser("danny"), MappingResult.role("arn:aws:iam::123456789101:role/default"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.empty().withGroups("hq"), MappingResult.role("arn:aws:iam::123456789101:role/default"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.empty().withUser("danny").withGroups("hq"), MappingResult.role("danny_hq_role"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://endpointbucket/bar"), MappingResult.credentials("AKIAxxxaccess", "iXbXxxxsecret").withEndpoint("http://localhost:7753"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://somebucket"), MappingResult.role("arn:aws:iam::1234567891012:role/default").withRoleSessionName("iam-trino-session"));
    }

    @Test
    public void testMappingWithFallbackToClusterDefault() {
        S3SecurityMappingConfig configFilePath = new S3SecurityMappingConfig().setConfigFilePath(Resources.getResource(getClass(), "security-mapping-with-fallback-to-cluster-default.json").getPath());
        S3SecurityMappingConfigurationProvider s3SecurityMappingConfigurationProvider = new S3SecurityMappingConfigurationProvider(configFilePath, new FileBasedS3SecurityMappingsProvider(configFilePath));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://bar/abc/data/test.csv"), MappingResult.role("arn:aws:iam::123456789101:role/allow_path"));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.empty(), MappingResult.clusterDefaultRole());
    }

    @Test
    public void testMappingWithoutFallback() {
        S3SecurityMappingConfig configFilePath = new S3SecurityMappingConfig().setConfigFilePath(Resources.getResource(getClass(), "security-mapping-without-fallback.json").getPath());
        S3SecurityMappingConfigurationProvider s3SecurityMappingConfigurationProvider = new S3SecurityMappingConfigurationProvider(configFilePath, new FileBasedS3SecurityMappingsProvider(configFilePath));
        assertMapping(s3SecurityMappingConfigurationProvider, MappingSelector.path("s3://bar/abc/data/test.csv"), MappingResult.role("arn:aws:iam::123456789101:role/allow_path"));
        assertMappingFails(s3SecurityMappingConfigurationProvider, MappingSelector.empty(), "No matching S3 security mapping");
    }

    @Test
    public void testMappingWithoutRoleCredentialsFallbackShouldFail() {
        Assertions.assertThatThrownBy(() -> {
            new S3SecurityMapping(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty());
        }).isInstanceOf(IllegalArgumentException.class).hasMessage("must either allow useClusterDefault role or provide role and/or credentials");
    }

    @Test
    public void testMappingWithRoleAndFallbackShouldFail() {
        Optional of = Optional.of("arn:aws:iam::123456789101:role/allow_path");
        Optional of2 = Optional.of(true);
        Assertions.assertThatThrownBy(() -> {
            new S3SecurityMapping(Optional.empty(), Optional.empty(), Optional.empty(), of, Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), of2, Optional.empty());
        }).isInstanceOf(IllegalArgumentException.class).hasMessage("must either allow useClusterDefault role or provide role and/or credentials");
    }

    @Test
    public void testMappingWithEncryptionKeysAndFallbackShouldFail() {
        Optional of = Optional.of(true);
        Optional of2 = Optional.of("CLIENT_S3CRT_KEY_ID");
        Assertions.assertThatThrownBy(() -> {
            new S3SecurityMapping(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), of2, Optional.empty(), Optional.empty(), Optional.empty(), of, Optional.empty());
        }).isInstanceOf(IllegalArgumentException.class).hasMessage("KMS key ID cannot be provided together with useClusterDefault");
    }

    @Test
    public void testMappingWithRoleSessionNameWithoutIamRoleShouldFail() {
        Optional of = Optional.of("iam-trino-session");
        Assertions.assertThatThrownBy(() -> {
            new S3SecurityMapping(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), of, Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty());
        }).isInstanceOf(IllegalArgumentException.class).hasMessage("iamRole must be provided when roleSessionName is provided");
    }

    private static void assertMapping(DynamicConfigurationProvider dynamicConfigurationProvider, MappingSelector mappingSelector, MappingResult mappingResult) {
        Configuration newEmptyConfiguration = ConfigurationInstantiator.newEmptyConfiguration();
        Assert.assertNull(newEmptyConfiguration.get("trino.s3.access-key"));
        Assert.assertNull(newEmptyConfiguration.get("trino.s3.secret-key"));
        Assert.assertNull(newEmptyConfiguration.get("trino.s3.iam-role"));
        Assert.assertNull(newEmptyConfiguration.get("trino.s3.kms-key-id"));
        applyMapping(dynamicConfigurationProvider, mappingSelector, newEmptyConfiguration);
        Assert.assertEquals(newEmptyConfiguration.get("trino.s3.access-key"), mappingResult.getAccessKey().orElse(null));
        Assert.assertEquals(newEmptyConfiguration.get("trino.s3.secret-key"), mappingResult.getSecretKey().orElse(null));
        Assert.assertEquals(newEmptyConfiguration.get("trino.s3.iam-role"), mappingResult.getRole().orElse(null));
        Assert.assertEquals(newEmptyConfiguration.get("trino.s3.kms-key-id"), mappingResult.getKmsKeyId().orElse(null));
        Assert.assertEquals(newEmptyConfiguration.get("trino.s3.endpoint"), mappingResult.getEndpoint().orElse(null));
        Assert.assertEquals(newEmptyConfiguration.get("trino.s3.role-session-name"), mappingResult.getRoleSessionName().orElse(null));
    }

    private static void assertMappingFails(DynamicConfigurationProvider dynamicConfigurationProvider, MappingSelector mappingSelector, String str) {
        Configuration newEmptyConfiguration = ConfigurationInstantiator.newEmptyConfiguration();
        Assertions.assertThatThrownBy(() -> {
            applyMapping(dynamicConfigurationProvider, mappingSelector, newEmptyConfiguration);
        }).isInstanceOf(AccessDeniedException.class).hasMessage("Access Denied: " + str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void applyMapping(DynamicConfigurationProvider dynamicConfigurationProvider, MappingSelector mappingSelector, Configuration configuration) {
        dynamicConfigurationProvider.updateConfiguration(configuration, mappingSelector.getHdfsContext(), mappingSelector.getPath().toUri());
    }
}
