package com.google.cloud.spanner.it;

import com.google.api.gax.rpc.PermissionDeniedException;
import com.google.cloud.spanner.Database;
import com.google.cloud.spanner.DatabaseAdminClient;
import com.google.cloud.spanner.DatabaseClient;
import com.google.cloud.spanner.DatabaseId;
import com.google.cloud.spanner.ErrorCode;
import com.google.cloud.spanner.IntegrationTestEnv;
import com.google.cloud.spanner.Options;
import com.google.cloud.spanner.ParallelIntegrationTest;
import com.google.cloud.spanner.ResultSet;
import com.google.cloud.spanner.SpannerException;
import com.google.cloud.spanner.SpannerOptions;
import com.google.cloud.spanner.Statement;
import com.google.cloud.spanner.testing.EmulatorSpannerHelper;
import com.google.cloud.spanner.testing.RemoteSpannerHelper;
import com.google.common.collect.ImmutableList;
import com.google.common.truth.Truth;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.concurrent.TimeUnit;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;

@RunWith(JUnit4.class)
@Category({ParallelIntegrationTest.class})
/* loaded from: input_file:com/google/cloud/spanner/it/ITDatabaseRolePermissionTest.class */
public class ITDatabaseRolePermissionTest {

    @ClassRule
    public static IntegrationTestEnv env = new IntegrationTestEnv();
    private static DatabaseAdminClient dbAdminClient;
    private static RemoteSpannerHelper testHelper;
    private static List<DatabaseId> databasesToDrop;

    @BeforeClass
    public static void setUp() {
        Assume.assumeFalse("Emulator does not support database roles", EmulatorSpannerHelper.isUsingEmulator());
        testHelper = env.getTestHelper();
        dbAdminClient = testHelper.getClient().getDatabaseAdminClient();
        databasesToDrop = new ArrayList();
    }

    @AfterClass
    public static void cleanup() throws Exception {
        if (databasesToDrop != null) {
            for (DatabaseId databaseId : databasesToDrop) {
                try {
                    dbAdminClient.dropDatabase(databaseId.getInstanceId().getInstance(), databaseId.getDatabase());
                } catch (Exception e) {
                    System.err.println("Failed to drop database " + databaseId + ", skipping...: " + e.getMessage());
                }
            }
        }
    }

    @Test
    public void grantAndRevokeDatabaseRolePermissions() throws Exception {
        String uniqueDatabaseId = testHelper.getUniqueDatabaseId();
        String instanceId = testHelper.getInstanceId().getInstance();
        Database database = (Database) dbAdminClient.createDatabase(instanceId, uniqueDatabaseId, ImmutableList.of("CREATE TABLE T (\n  K STRING(MAX),\n) PRIMARY KEY(K)", String.format("CREATE ROLE %s", "parent"), String.format("GRANT SELECT ON TABLE T TO ROLE %s", "parent"))).get(5L, TimeUnit.MINUTES);
        DatabaseClient databaseClient = SpannerOptions.newBuilder().setDatabaseRole("parent").build().getService().getDatabaseClient(database.getId());
        try {
            ResultSet executeQuery = databaseClient.singleUse().executeQuery(Statement.of("SELECT COUNT(*) as cnt FROM T"), new Options.QueryOption[0]);
            try {
                Assert.assertTrue(executeQuery.next());
                if (executeQuery != null) {
                    executeQuery.close();
                }
            } catch (Throwable th) {
                if (executeQuery != null) {
                    try {
                        executeQuery.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (PermissionDeniedException e) {
            Assert.fail("Got PermissionDeniedException when it should not have occurred.");
        }
        dbAdminClient.updateDatabaseDdl(instanceId, uniqueDatabaseId, Arrays.asList(String.format("REVOKE SELECT ON TABLE T FROM ROLE %s", "parent")), (String) null).get(5L, TimeUnit.MINUTES);
        ResultSet executeQuery2 = databaseClient.singleUse().executeQuery(Statement.of("SELECT COUNT(*) as cnt FROM T"), new Options.QueryOption[0]);
        try {
            SpannerException assertThrows = Assert.assertThrows(SpannerException.class, () -> {
                executeQuery2.next();
            });
            Truth.assertThat(assertThrows.getErrorCode()).isEqualTo(ErrorCode.PERMISSION_DENIED);
            Truth.assertThat(assertThrows.getMessage()).contains("parent");
            if (executeQuery2 != null) {
                executeQuery2.close();
            }
            dbAdminClient.updateDatabaseDdl(instanceId, uniqueDatabaseId, Arrays.asList("DROP TABLE T", String.format("DROP ROLE %s", "parent")), (String) null).get(5L, TimeUnit.MINUTES);
            databasesToDrop.add(database.getId());
        } catch (Throwable th3) {
            if (executeQuery2 != null) {
                try {
                    executeQuery2.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    @Test
    public void roleWithNoPermissions() throws Exception {
        String uniqueDatabaseRole = testHelper.getUniqueDatabaseRole();
        String uniqueDatabaseId = testHelper.getUniqueDatabaseId();
        String instanceId = testHelper.getInstanceId().getInstance();
        Database database = (Database) dbAdminClient.createDatabase(instanceId, uniqueDatabaseId, ImmutableList.of("CREATE TABLE T (\n  K STRING(MAX),\n) PRIMARY KEY(K)", String.format("CREATE ROLE %s", uniqueDatabaseRole))).get(5L, TimeUnit.MINUTES);
        ResultSet executeQuery = SpannerOptions.newBuilder().setDatabaseRole(uniqueDatabaseRole).build().getService().getDatabaseClient(database.getId()).singleUse().executeQuery(Statement.of("SELECT COUNT(*) as cnt FROM T"), new Options.QueryOption[0]);
        try {
            SpannerException assertThrows = Assert.assertThrows(SpannerException.class, () -> {
                executeQuery.next();
            });
            Truth.assertThat(assertThrows.getErrorCode()).isEqualTo(ErrorCode.PERMISSION_DENIED);
            Truth.assertThat(assertThrows.getMessage()).contains(uniqueDatabaseRole);
            if (executeQuery != null) {
                executeQuery.close();
            }
            dbAdminClient.updateDatabaseDdl(instanceId, uniqueDatabaseId, Arrays.asList("DROP TABLE T", String.format("DROP ROLE %s", uniqueDatabaseRole)), (String) null).get(5L, TimeUnit.MINUTES);
            databasesToDrop.add(database.getId());
        } catch (Throwable th) {
            if (executeQuery != null) {
                try {
                    executeQuery.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
