package com.google.cloud.spanner.it;

import com.google.api.gax.core.FixedCredentialsProvider;
import com.google.api.gax.grpc.InstantiatingGrpcChannelProvider;
import com.google.api.gax.rpc.PermissionDeniedException;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.cloud.Policy;
import com.google.cloud.Timestamp;
import com.google.cloud.spanner.BackupId;
import com.google.cloud.spanner.DatabaseAdminClient;
import com.google.cloud.spanner.DatabaseClient;
import com.google.cloud.spanner.DatabaseId;
import com.google.cloud.spanner.ErrorCode;
import com.google.cloud.spanner.InstanceAdminClient;
import com.google.cloud.spanner.InstanceId;
import com.google.cloud.spanner.KeySet;
import com.google.cloud.spanner.Options;
import com.google.cloud.spanner.SerialIntegrationTest;
import com.google.cloud.spanner.SessionPoolOptions;
import com.google.cloud.spanner.Spanner;
import com.google.cloud.spanner.SpannerException;
import com.google.cloud.spanner.SpannerOptions;
import com.google.common.base.Strings;
import com.google.common.truth.Truth;
import com.google.longrunning.OperationsClient;
import com.google.longrunning.OperationsSettings;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.concurrent.ExecutionException;
import java.util.logging.Logger;
import org.junit.After;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;

@RunWith(JUnit4.class)
@Category({SerialIntegrationTest.class})
/* loaded from: input_file:com/google/cloud/spanner/it/ITVPCNegativeTest.class */
public class ITVPCNegativeTest {
    private static final Logger logger = Logger.getLogger(ITVPCNegativeTest.class.getName());
    private static final String IN_VPCSC_TEST = System.getenv("GOOGLE_CLOUD_TESTS_IN_VPCSC");
    private static final String OUTSIDE_VPC_PROJECT = System.getenv("GOOGLE_CLOUD_TESTS_VPCSC_OUTSIDE_PERIMETER_PROJECT");
    private Spanner spanner;
    private InstanceAdminClient instanceAdminClient;
    private DatabaseAdminClient databaseAdminClient;
    private DatabaseClient databaseClient;
    private InstanceId instanceId;
    private BackupId backupId;

    @BeforeClass
    public static void setUpClass() {
        Assume.assumeTrue("To run tests, GOOGLE_CLOUD_TESTS_IN_VPCSC environment variable needs to be set to True", IN_VPCSC_TEST != null && IN_VPCSC_TEST.equalsIgnoreCase("true"));
        Assert.assertFalse("GOOGLE_CLOUD_TESTS_VPCSC_OUTSIDE_PERIMETER_PROJECT environment variable needs to be set to a GCP project that is outside the VPC perimeter", Strings.isNullOrEmpty(OUTSIDE_VPC_PROJECT));
        Assume.assumeTrue(Strings.isNullOrEmpty(System.getenv("SPANNER_EMULATOR_HOST")));
    }

    @Before
    public void setUp() {
        this.instanceId = InstanceId.of(OUTSIDE_VPC_PROJECT, "nonexistent-instance");
        this.backupId = BackupId.of(OUTSIDE_VPC_PROJECT, "nonexistent-instance", "nonexistent-backup");
        this.spanner = SpannerOptions.newBuilder().setProjectId(this.instanceId.getProject()).setSessionPoolOption(SessionPoolOptions.newBuilder().setMinSessions(0).setFailIfPoolExhausted().build()).build().getService();
        this.instanceAdminClient = this.spanner.getInstanceAdminClient();
        this.databaseAdminClient = this.spanner.getDatabaseAdminClient();
        this.databaseClient = this.spanner.getDatabaseClient(DatabaseId.of(OUTSIDE_VPC_PROJECT, "nonexistent-instance", "nonexistent-database"));
    }

    @After
    public void tearDown() {
        this.spanner.close();
    }

    private void checkExceptionForVPCError(SpannerException spannerException) {
        Assert.assertEquals(ErrorCode.PERMISSION_DENIED, spannerException.getErrorCode());
        Truth.assertThat(spannerException.getMessage()).contains("Request is prohibited by organization's policy");
    }

    @Test
    public void deniedListInstanceConfigs() {
        try {
            this.instanceAdminClient.listInstanceConfigs(new Options.ListOption[0]);
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedGetInstanceConfig() {
        try {
            this.instanceAdminClient.getInstanceConfig("nonexistent-configs");
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedListInstances() {
        try {
            this.instanceAdminClient.listInstances(new Options.ListOption[0]);
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedGetInstance() {
        try {
            this.instanceAdminClient.getInstance("non-existent");
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedListDatabases() {
        try {
            this.databaseAdminClient.listDatabases("nonexistent-instance", new Options.ListOption[]{Options.pageSize(1)});
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedGetDatabase() {
        try {
            this.databaseAdminClient.getDatabase("nonexistent-instance", "nonexistent-database");
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedRead() {
        try {
            this.databaseClient.singleUse().read("nonexistent-table", KeySet.all(), Collections.singletonList("nonexistent-col"), new Options.ReadOption[0]).next();
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedCreateBackup() throws InterruptedException {
        try {
            this.databaseAdminClient.createBackup(this.instanceId.getInstance(), "newbackup-id", "nonexistent-db", Timestamp.now()).get();
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (ExecutionException e) {
            checkExceptionForVPCError((SpannerException) e.getCause());
        }
    }

    @Test
    public void deniedGetBackup() {
        try {
            this.databaseAdminClient.getBackup(this.instanceId.getInstance(), this.backupId.getBackup());
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedUpdateBackup() {
        try {
            this.databaseAdminClient.updateBackup(this.instanceId.getInstance(), this.backupId.getBackup(), Timestamp.now());
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedListBackup() {
        try {
            this.databaseAdminClient.listBackups(this.instanceId.getInstance(), new Options.ListOption[0]);
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedDeleteBackup() {
        try {
            this.databaseAdminClient.deleteBackup(this.instanceId.getInstance(), this.backupId.getBackup());
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedRestoreDatabase() throws InterruptedException {
        try {
            this.databaseAdminClient.restoreDatabase(this.instanceId.getInstance(), "nonexistent-backup", this.instanceId.getInstance(), "newdb-id").get();
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (ExecutionException e) {
            checkExceptionForVPCError((SpannerException) e.getCause());
        }
    }

    @Test
    public void deniedListBackupOperationsInInstance() {
        try {
            this.databaseAdminClient.listBackupOperations(this.instanceId.getInstance(), new Options.ListOption[0]);
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedListDatabaseOperationsInInstance() {
        try {
            this.databaseAdminClient.listDatabaseOperations(this.instanceId.getInstance(), new Options.ListOption[0]);
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedGetBackupIamPolicy() {
        try {
            this.databaseAdminClient.getBackupIAMPolicy(this.instanceId.getInstance(), this.backupId.getBackup());
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedSetBackupIamPolicy() {
        try {
            this.databaseAdminClient.setBackupIAMPolicy(this.backupId.getInstanceId().getInstance(), this.backupId.getBackup(), Policy.newBuilder().build());
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedTestBackupIamPermissions() {
        try {
            this.databaseAdminClient.testBackupIAMPermissions(this.backupId.getInstanceId().getInstance(), this.backupId.getBackup(), new ArrayList());
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedCancelBackupOperation() {
        try {
            this.databaseAdminClient.cancelOperation(this.backupId.getName() + "/operations/nonexistentop");
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedGetBackupOperation() {
        try {
            this.databaseAdminClient.getOperation(this.backupId.getName() + "/operations/nonexistentop");
            Assert.fail("Expected PERMISSION_DENIED SpannerException");
        } catch (SpannerException e) {
            checkExceptionForVPCError(e);
        }
    }

    @Test
    public void deniedListBackupOperations() throws IOException {
        try {
            OperationsClient create = OperationsClient.create(OperationsSettings.newBuilder().setTransportChannelProvider(InstantiatingGrpcChannelProvider.newBuilder().build()).setEndpoint("spanner.googleapis.com:443").setCredentialsProvider(FixedCredentialsProvider.create(GoogleCredentials.fromStream(new FileInputStream(System.getenv("GOOGLE_APPLICATION_CREDENTIALS"))))).build());
            try {
                create.listOperations(this.backupId.getName() + "/operations", "");
                Assert.fail("Expected PermissionDeniedException");
                if (create != null) {
                    create.close();
                }
            } finally {
            }
        } catch (PermissionDeniedException e) {
            Truth.assertThat(e.getMessage()).contains("Request is prohibited by organization's policy");
        }
    }
}
