package org.apache.phoenix.end2end;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
import org.apache.phoenix.schema.TableNotFoundException;
import org.junit.Test;
import org.junit.experimental.categories.Category;

@Category({NeedsOwnMiniClusterTest.class})
/* loaded from: input_file:org/apache/phoenix/end2end/ChangePermissionsIT.class */
public class ChangePermissionsIT extends BasePermissionsIT {
    private static final String SCHEMA_NAME = "CHANGEPERMSSCHEMA";
    private static final Log LOG = LogFactory.getLog(ChangePermissionsIT.class);
    private static final String TABLE_NAME = ChangePermissionsIT.class.getSimpleName().toUpperCase();
    private static final String FULL_TABLE_NAME = "CHANGEPERMSSCHEMA." + TABLE_NAME;
    private static final String IDX1_TABLE_NAME = TABLE_NAME + "_IDX1";
    private static final String IDX2_TABLE_NAME = TABLE_NAME + "_IDX2";
    private static final String IDX3_TABLE_NAME = TABLE_NAME + "_IDX3";
    private static final String LOCAL_IDX1_TABLE_NAME = TABLE_NAME + "_LIDX1";
    private static final String VIEW1_TABLE_NAME = TABLE_NAME + "_V1";
    private static final String VIEW2_TABLE_NAME = TABLE_NAME + "_V2";

    public ChangePermissionsIT(boolean z) throws Exception {
        super(z);
    }

    private void grantSystemTableAccess(User user, User... userArr) throws Exception {
        for (User user2 : userArr) {
            if (this.isNamespaceMapped) {
                verifyAllowed(grantPermissions("RX", (Object) user2, "SYSTEM", true), user);
            } else {
                verifyAllowed(grantPermissions("RX", (Object) user2, PHOENIX_SYSTEM_TABLES_IDENTIFIERS, false), user);
            }
            verifyAllowed(grantPermissions("W", (Object) user2, "SYSTEM.\"SEQUENCE\"", false), user);
        }
    }

    private void revokeSystemTableAccess(User user, User... userArr) throws Exception {
        for (User user2 : userArr) {
            if (this.isNamespaceMapped) {
                verifyAllowed(revokePermissions((Object) user2, "SYSTEM", true), user);
            } else {
                verifyAllowed(revokePermissions((Object) user2, PHOENIX_SYSTEM_TABLES_IDENTIFIERS, false), user);
            }
            verifyAllowed(revokePermissions((Object) user2, "SYSTEM.\"SEQUENCE\"", false), user);
        }
    }

    @Test
    public void testRXPermsReqdForPhoenixConn() throws Exception {
        startNewMiniCluster();
        if (this.isNamespaceMapped) {
            verifyDenied(getConnectionAction(), AccessDeniedException.class, this.regularUser1);
        } else {
            verifyDenied(getConnectionAction(), TableNotFoundException.class, this.regularUser1);
        }
        grantSystemTableAccess(this.superUser1, this.regularUser1, this.regularUser2);
        verifyAllowed(getConnectionAction(), this.regularUser1);
        revokeSystemTableAccess(this.superUser1, this.regularUser2);
        verifyDenied(getConnectionAction(), AccessDeniedException.class, this.regularUser2);
    }

    @Test
    public void testSuperUserCanChangePerms() throws Exception {
        startNewMiniCluster();
        grantSystemTableAccess(this.superUser1, this.regularUser1, this.regularUser2, this.unprivilegedUser);
        verifyAllowed(grantPermissions("A", this.regularUser1), this.superUser1);
        verifyAllowed(readTableWithoutVerification("SYSTEM.\"CATALOG\""), this.regularUser1);
        verifyAllowed(grantPermissions("A", this.regularUser2), this.regularUser1);
        verifyAllowed(revokePermissions(this.regularUser1), this.superUser1);
        verifyDenied(grantPermissions("A", this.regularUser3), AccessDeniedException.class, this.regularUser1);
        verifyAllowed(getConnectionAction(), this.unprivilegedUser);
        verifyDenied(grantPermissions("ARX", this.regularUser4), AccessDeniedException.class, this.unprivilegedUser);
    }

    @Test
    public void testReadPermsOnTableIndexAndView() throws Exception {
        startNewMiniCluster();
        grantSystemTableAccess(this.superUser1, this.regularUser1, this.regularUser2, this.unprivilegedUser);
        if (this.isNamespaceMapped) {
            verifyAllowed(createSchema(SCHEMA_NAME), this.superUser1);
            verifyAllowed(grantPermissions("C", (Object) this.regularUser1, SCHEMA_NAME, true), this.superUser1);
        } else {
            verifyAllowed(grantPermissions("C", (Object) this.regularUser1, surroundWithDoubleQuotes("default"), true), this.superUser1);
        }
        verifyAllowed(createTable(FULL_TABLE_NAME), this.regularUser1);
        verifyAllowed(readTable(FULL_TABLE_NAME), this.regularUser1);
        verifyAllowed(createIndex(IDX1_TABLE_NAME, FULL_TABLE_NAME), this.regularUser1);
        verifyAllowed(createIndex(IDX2_TABLE_NAME, FULL_TABLE_NAME), this.regularUser1);
        verifyAllowed(createLocalIndex(LOCAL_IDX1_TABLE_NAME, FULL_TABLE_NAME), this.regularUser1);
        verifyAllowed(createView(VIEW1_TABLE_NAME, FULL_TABLE_NAME), this.regularUser1);
        verifyAllowed(createIndex(IDX3_TABLE_NAME, VIEW1_TABLE_NAME), this.regularUser1);
        verifyAllowed(getConnectionAction(), this.regularUser2);
        verifyDenied(readTable(FULL_TABLE_NAME), AccessDeniedException.class, this.regularUser2);
        verifyDenied(readTable(FULL_TABLE_NAME, IDX1_TABLE_NAME), AccessDeniedException.class, this.regularUser2);
        verifyDenied(readTable(VIEW1_TABLE_NAME), AccessDeniedException.class, this.regularUser2);
        verifyDenied(readTableWithoutVerification("CHANGEPERMSSCHEMA." + IDX1_TABLE_NAME), AccessDeniedException.class, this.regularUser2);
        verifyAllowed(grantPermissions("RX", (Object) this.regularUser2, FULL_TABLE_NAME, false), this.regularUser1);
        verifyDenied(grantPermissions("W", (Object) this.regularUser2, "CHANGEPERMSSCHEMA." + IDX1_TABLE_NAME, false), AccessDeniedException.class, this.regularUser1);
        verifyDenied(grantPermissions("W", (Object) this.regularUser2, "CHANGEPERMSSCHEMA." + VIEW1_TABLE_NAME, false), TableNotFoundException.class, this.regularUser1);
        verifyAllowed(readTable(FULL_TABLE_NAME), this.regularUser2);
        verifyAllowed(readTable(FULL_TABLE_NAME, IDX1_TABLE_NAME), this.regularUser2);
        verifyAllowed(readTable(FULL_TABLE_NAME, IDX2_TABLE_NAME), this.regularUser2);
        verifyAllowed(readTable(FULL_TABLE_NAME, LOCAL_IDX1_TABLE_NAME), this.regularUser2);
        verifyAllowed(readTableWithoutVerification("CHANGEPERMSSCHEMA." + IDX1_TABLE_NAME), this.regularUser2);
        verifyAllowed(readTable(VIEW1_TABLE_NAME), this.regularUser2);
        verifyAllowed(readMultiTenantTableWithIndex(VIEW1_TABLE_NAME), this.regularUser2);
        verifyAllowed(revokePermissions((Object) this.regularUser2, FULL_TABLE_NAME, false), this.regularUser1);
        verifyDenied(readTable(FULL_TABLE_NAME), AccessDeniedException.class, this.regularUser2);
        verifyDenied(readTableWithoutVerification("CHANGEPERMSSCHEMA." + IDX1_TABLE_NAME), AccessDeniedException.class, this.regularUser2);
    }

    @Test
    public void testGroupUserPerms() throws Exception {
        startNewMiniCluster();
        if (this.isNamespaceMapped) {
            verifyAllowed(createSchema(SCHEMA_NAME), this.superUser1);
        }
        verifyAllowed(createTable(FULL_TABLE_NAME), this.superUser1);
        verifyAllowed(grantPermissions("RX", "group_system_access", PHOENIX_SYSTEM_TABLES_IDENTIFIERS, false), this.superUser1);
        grantSystemTableAccess(this.superUser1, this.regularUser1);
        verifyAllowed(grantPermissions("ARX", "group_system_access", FULL_TABLE_NAME, false), this.superUser1);
        verifyAllowed(readTable(FULL_TABLE_NAME), this.groupUser);
        verifyDenied(readTable(FULL_TABLE_NAME), AccessDeniedException.class, this.regularUser1);
        verifyAllowed(grantPermissions("RX", (Object) this.regularUser1, FULL_TABLE_NAME, false), this.groupUser);
        verifyAllowed(readTable(FULL_TABLE_NAME), this.regularUser1);
        verifyAllowed(revokePermissions("group_system_access", FULL_TABLE_NAME, false), this.superUser1);
        verifyDenied(readTable(FULL_TABLE_NAME), AccessDeniedException.class, this.groupUser);
    }

    @Test
    public void testMultiTenantTables() throws Exception {
        startNewMiniCluster();
        grantSystemTableAccess(this.superUser1, this.regularUser1, this.regularUser2, this.regularUser3);
        if (this.isNamespaceMapped) {
            verifyAllowed(createSchema(SCHEMA_NAME), this.superUser1);
            verifyAllowed(grantPermissions("C", (Object) this.regularUser1, SCHEMA_NAME, true), this.superUser1);
        } else {
            verifyAllowed(grantPermissions("C", (Object) this.regularUser1, surroundWithDoubleQuotes("default"), true), this.superUser1);
        }
        verifyAllowed(createMultiTenantTable(FULL_TABLE_NAME), this.regularUser1);
        verifyDenied(readMultiTenantTableWithoutIndex(FULL_TABLE_NAME), AccessDeniedException.class, this.regularUser2);
        verifyAllowed(grantPermissions("RX", (Object) this.regularUser2, FULL_TABLE_NAME, false), this.regularUser1);
        verifyAllowed(readMultiTenantTableWithoutIndex(FULL_TABLE_NAME), this.regularUser2);
        verifyAllowed(createView(VIEW1_TABLE_NAME, FULL_TABLE_NAME, "o1"), this.regularUser1);
        verifyAllowed(createView(VIEW2_TABLE_NAME, FULL_TABLE_NAME, "o2"), this.regularUser1);
        verifyAllowed(createIndex(IDX1_TABLE_NAME, VIEW1_TABLE_NAME, "o1"), this.regularUser1);
        verifyAllowed(createIndex(IDX2_TABLE_NAME, VIEW2_TABLE_NAME, "o2"), this.regularUser1);
        verifyAllowed(readMultiTenantTableWithIndex(VIEW1_TABLE_NAME, "o1"), this.regularUser2);
        verifyAllowed(readMultiTenantTableWithoutIndex(VIEW2_TABLE_NAME, "o2"), this.regularUser2);
    }

    @Test
    public void testCreateViewOnTableWithRXPermsOnSchema() throws Exception {
        startNewMiniCluster();
        grantSystemTableAccess(this.superUser1, this.regularUser1, this.regularUser2, this.regularUser3);
        if (this.isNamespaceMapped) {
            verifyAllowed(createSchema(SCHEMA_NAME), this.superUser1);
            verifyAllowed(createTable(FULL_TABLE_NAME), this.superUser1);
            verifyAllowed(grantPermissions("RX", (Object) this.regularUser1, SCHEMA_NAME, true), this.superUser1);
        } else {
            verifyAllowed(createTable(FULL_TABLE_NAME), this.superUser1);
            verifyAllowed(grantPermissions("RX", (Object) this.regularUser1, surroundWithDoubleQuotes("default"), true), this.superUser1);
        }
        verifyAllowed(createView(VIEW1_TABLE_NAME, FULL_TABLE_NAME), this.regularUser1);
    }
}
