package org.apache.impala.analysis;

import java.util.HashSet;
import org.apache.impala.authorization.NoopAuthorizationFactory;
import org.apache.impala.authorization.ranger.RangerAuthorizationConfig;
import org.apache.impala.authorization.ranger.RangerAuthorizationFactory;
import org.apache.impala.catalog.Role;
import org.apache.impala.catalog.User;
import org.apache.impala.common.AnalysisException;
import org.apache.impala.common.FrontendTestBase;
import org.apache.impala.testutil.TestUtils;
import org.apache.impala.util.EventSequence;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngineOptions;
import org.junit.Test;

/* loaded from: input_file:org/apache/impala/analysis/AnalyzeAuthStmtsTest.class */
public class AnalyzeAuthStmtsTest extends FrontendTestBase {
    protected static final String SERVER_NAME = "server1";
    protected static final String RANGER_SERVICE_TYPE = "hive";
    protected static final String RANGER_APP_ID = "impala";

    public AnalyzeAuthStmtsTest() {
        catalog_.getAuthPolicy().addPrincipal(new Role("myRole", new HashSet()));
        catalog_.getAuthPolicy().addPrincipal(new User("myUser", new HashSet()));
    }

    @Override // org.apache.impala.common.FrontendTestBase
    public ParseNode AnalyzesOk(String str) {
        return AnalyzesOk(str, createAnalysisCtx("default"), null);
    }

    @Override // org.apache.impala.common.FrontendTestBase
    public void AnalysisError(String str, String str2) {
        AnalysisError(str, createAnalysisCtx("default"), str2);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.impala.common.FrontendTestBase
    public AnalysisContext createAnalysisCtx(String str) {
        return new AnalysisContext(TestUtils.createQueryContext(str, System.getProperty("user.name")), new RangerAuthorizationFactory(new RangerAuthorizationConfig(RANGER_SERVICE_TYPE, RANGER_APP_ID, SERVER_NAME, (String) null, (String) null, (RangerPolicyEngineOptions) null)), new EventSequence("Authorization Test"));
    }

    private AnalysisContext createAuthDisabledAnalysisCtx() {
        return new AnalysisContext(TestUtils.createQueryContext("default", System.getProperty("user.name")), new NoopAuthorizationFactory(), new EventSequence("Authorization Test"));
    }

    @Test
    public void AnalyzeShowRoles() {
        AnalyzesOk("SHOW ROLES");
        AnalyzesOk("SHOW ROLE GRANT GROUP myGroup");
        AnalyzesOk("SHOW CURRENT ROLES");
        AnalysisContext createAuthDisabledAnalysisCtx = createAuthDisabledAnalysisCtx();
        AnalysisError("SHOW ROLES", createAuthDisabledAnalysisCtx, "Authorization is not enabled.");
        AnalysisError("SHOW ROLE GRANT GROUP myGroup", createAuthDisabledAnalysisCtx, "Authorization is not enabled.");
        AnalysisError("SHOW CURRENT ROLES", createAuthDisabledAnalysisCtx, "Authorization is not enabled.");
    }

    @Test
    public void AnalyzeShowGrantPrincipal() {
        for (String str : new String[]{"ROLE myRole", "USER myUser", "GROUP myGroup"}) {
            AnalyzesOk(String.format("SHOW GRANT %s", str));
            AnalyzesOk(String.format("SHOW GRANT %s ON SERVER", str));
            AnalyzesOk(String.format("SHOW GRANT %s ON DATABASE functional", str));
            AnalyzesOk(String.format("SHOW GRANT %s ON TABLE functional.alltypes", str));
            AnalyzesOk(String.format("SHOW GRANT %s ON COLUMN functional.alltypes.year", str));
            AnalyzesOk(String.format("SHOW GRANT %s ON URI 'hdfs:////test-warehouse//foo'", str));
            AnalysisContext createAuthDisabledAnalysisCtx = createAuthDisabledAnalysisCtx();
            AnalysisError("SHOW GRANT ROLE myRole", createAuthDisabledAnalysisCtx, "Authorization is not enabled.");
            AnalysisError("SHOW GRANT ROLE myRole ON SERVER", createAuthDisabledAnalysisCtx, "Authorization is not enabled.");
            AnalysisError(String.format("SHOW GRANT %s on DATABASE foo", str), "Error setting/showing privileges for database 'foo'. Verify that the database exists and that you have permissions to issue a GRANT/REVOKE/SHOW GRANT statement.");
            AnalysisError(String.format("SHOW GRANT %s on TABLE foo.bar", str), "Error setting/showing privileges for table 'foo.bar'. Verify that the table exists and that you have permissions to issue a GRANT/REVOKE/SHOW GRANT statement.");
            AnalysisError(String.format("SHOW GRANT %s on COLUMN foo.bar.baz", str), "Error setting/showing privileges for table 'foo.bar'. Verify that the table exists and that you have permissions to issue a GRANT/REVOKE/SHOW GRANT statement.");
        }
    }

    @Test
    public void AnalyzeCreateDropRole() throws AnalysisException {
        AnalyzesOk("DROP ROLE myRole");
        AnalyzesOk("CREATE ROLE doesNotExist");
        AnalyzesOk("DROP ROLE MYrole");
        AnalysisContext createAuthDisabledAnalysisCtx = createAuthDisabledAnalysisCtx();
        AnalysisError("DROP ROLE myRole", createAuthDisabledAnalysisCtx, "Authorization is not enabled.");
        AnalysisError("CREATE ROLE doesNotExist", createAuthDisabledAnalysisCtx, "Authorization is not enabled.");
    }

    @Test
    public void AnalyzeGrantRevokeRole() throws AnalysisException {
        AnalyzesOk("GRANT ROLE myrole TO GROUP abc");
        AnalyzesOk("REVOKE ROLE myrole FROM GROUP abc");
        AnalysisContext createAuthDisabledAnalysisCtx = createAuthDisabledAnalysisCtx();
        AnalysisError("GRANT ROLE myrole TO GROUP abc", createAuthDisabledAnalysisCtx, "Authorization is not enabled.");
        AnalysisError("REVOKE ROLE myrole FROM GROUP abc", createAuthDisabledAnalysisCtx, "Authorization is not enabled.");
    }

    @Test
    public void AnalyzeGrantRevokePriv() throws AnalysisException {
        boolean[] zArr = {true, false};
        for (String str : new String[]{"myRole", "ROLE myRole", "GROUP myGroup", "USER myUser"}) {
            for (boolean z : zArr) {
                String[] strArr = {"REVOKE", "FROM", str};
                if (z) {
                    strArr = new String[]{"GRANT", "TO", str};
                }
                AnalyzesOk(String.format("%s ALL ON TABLE alltypes %s %s", strArr), createAnalysisCtx("functional"));
                AnalyzesOk(String.format("%s ALL ON TABLE functional.alltypes %s %s", strArr));
                AnalyzesOk(String.format("%s ALL ON TABLE functional_kudu.alltypes %s %s", strArr));
                AnalyzesOk(String.format("%s ALL ON DATABASE functional %s %s", strArr));
                AnalyzesOk(String.format("%s ALL ON SERVER %s %s", strArr));
                AnalyzesOk(String.format("%s ALL ON SERVER server1 %s %s", strArr));
                AnalyzesOk(String.format("%s ALL ON URI 'hdfs:////abc//123' %s %s", strArr));
                AnalysisError(String.format("%s ALL ON URI 'xxxx:////abc//123' %s %s", strArr), "No FileSystem for scheme: xxxx");
                AnalysisError(String.format("%s ALL ON STORAGEHANDLER_URI 'kudu://localhost/tbl' %s %s", strArr), "Only 'RWSTORAGE' privilege may be applied at storage handler URI scope in privilege spec.");
                AnalysisError(String.format("%s ALL ON DATABASE does_not_exist %s %s", strArr), "Error setting/showing privileges for database 'does_not_exist'. Verify that the database exists and that you have permissions to issue a GRANT/REVOKE/SHOW GRANT statement.");
                AnalysisError(String.format("%s ALL ON TABLE does_not_exist %s %s", strArr), "Error setting/showing privileges for table 'does_not_exist'. Verify that the table exists and that you have permissions to issue a GRANT/REVOKE/SHOW GRANT statement.");
                AnalysisError(String.format("%s ALL ON SERVER does_not_exist %s %s", strArr), "Specified server name 'does_not_exist' does not match the configured server name 'server1'");
                AnalyzesOk(String.format("%s INSERT ON TABLE alltypesagg %s %s", strArr), createAnalysisCtx("functional"));
                AnalyzesOk(String.format("%s INSERT ON TABLE functional_kudu.alltypessmall %s %s", strArr));
                AnalyzesOk(String.format("%s INSERT ON TABLE functional.alltypesagg %s %s", strArr));
                AnalyzesOk(String.format("%s INSERT ON DATABASE functional %s %s", strArr));
                AnalyzesOk(String.format("%s INSERT ON SERVER %s %s", strArr));
                AnalysisError(String.format("%s INSERT ON URI 'hdfs:////abc//123' %s %s", strArr), "Only 'ALL' privilege may be applied at URI scope in privilege spec.");
                AnalysisError(String.format("%s INSERT ON STORAGEHANDLER_URI 'kudu://localhost/tbl' %s %s", strArr), "Only 'RWSTORAGE' privilege may be applied at storage handler URI scope in privilege spec.");
                AnalyzesOk(String.format("%s SELECT ON TABLE alltypessmall %s %s", strArr), createAnalysisCtx("functional"));
                AnalyzesOk(String.format("%s SELECT ON TABLE functional.alltypessmall %s %s", strArr));
                AnalyzesOk(String.format("%s SELECT ON TABLE functional_kudu.alltypessmall %s %s", strArr));
                AnalyzesOk(String.format("%s SELECT ON DATABASE functional %s %s", strArr));
                AnalyzesOk(String.format("%s SELECT ON SERVER %s %s", strArr));
                AnalysisError(String.format("%s SELECT ON URI 'hdfs:////abc//123' %s %s", strArr), "Only 'ALL' privilege may be applied at URI scope in privilege spec.");
                AnalysisError(String.format("%s SELECT ON STORAGEHANDLER_URI 'kudu://localhost/tbl' %s %s", strArr), "Only 'RWSTORAGE' privilege may be applied at storage handler URI scope in privilege spec.");
                AnalyzesOk(String.format("%s SELECT (id, int_col) ON TABLE functional.alltypes %s %s", strArr));
                AnalyzesOk(String.format("%s SELECT (id, id) ON TABLE functional.alltypes %s %s", strArr));
                AnalyzesOk(String.format("%s SELECT (id, int_col, year, month) ON TABLE alltypes %s %s", strArr), createAnalysisCtx("functional"));
                AnalyzesOk(String.format("%s SELECT (id, bool_col) ON TABLE functional_kudu.alltypessmall %s %s", strArr));
                AnalyzesOk(String.format("%s SELECT (id, bool_col) ON TABLE functional.alltypes_hive_view %s %s", strArr));
                AnalysisError(String.format("%s SELECT () ON TABLE functional.alltypes %s %s", strArr), "Empty column list in column privilege spec.");
                AnalysisError(String.format("%s INSERT (id, tinyint_col) ON TABLE functional.alltypes %s %s", strArr), "Only 'SELECT' privileges are allowed in a column privilege spec.");
                AnalysisError(String.format("%s ALL (id, tinyint_col) ON TABLE functional.alltypes %s %s", strArr), "Only 'SELECT' privileges are allowed in a column privilege spec.");
                AnalysisError(String.format("%s SELECT (invalid_col) ON TABLE functional.alltypes %s %s", strArr), "Error setting/showing column-level privileges for table 'functional.alltypes'. Verify that both table and columns exist and that you have permissions to issue a GRANT/REVOKE/SHOW GRANT statement.");
                AnalysisError(String.format("%s SELECT (id, int_col) ON TABLE functional.does_not_exist %s %s", strArr), "Error setting/showing privileges for table 'functional.does_not_exist'. Verify that the table exists and that you have permissions to issue a GRANT/REVOKE/SHOW GRANT statement.");
                AnalyzesOk(String.format("%s REFRESH ON TABLE functional.alltypes %s %s", strArr));
                AnalyzesOk(String.format("%s REFRESH ON DATABASE functional %s %s", strArr));
                AnalyzesOk(String.format("%s REFRESH ON SERVER %s %s", strArr));
                AnalyzesOk(String.format("%s REFRESH ON SERVER server1 %s %s", strArr));
                AnalysisError(String.format("%s REFRESH ON URI 'hdfs:////abc//123' %s %s", strArr), "Only 'ALL' privilege may be applied at URI scope in privilege spec.");
                AnalysisError(String.format("%s REFRESH ON STORAGEHANDLER_URI 'kudu://localhost/tbl' %s %s", strArr), "Only 'RWSTORAGE' privilege may be applied at storage handler URI scope in privilege spec.");
                AnalyzesOk(String.format("%s CREATE ON SERVER %s %s", strArr));
                AnalyzesOk(String.format("%s CREATE ON SERVER server1 %s %s", strArr));
                AnalyzesOk(String.format("%s CREATE ON DATABASE functional %s %s", strArr));
                AnalysisError(String.format("%s CREATE ON TABLE functional.alltypes %s %s", strArr), "Create-level privileges on tables are not supported.");
                AnalysisError(String.format("%s CREATE ON URI 'hdfs:////abc//123' %s %s", strArr), "Only 'ALL' privilege may be applied at URI scope in privilege spec.");
                AnalysisError(String.format("%s CREATE ON STORAGEHANDLER_URI 'kudu://localhost/tbl' %s %s", strArr), "Only 'RWSTORAGE' privilege may be applied at storage handler URI scope in privilege spec.");
                AnalyzesOk(String.format("%s ALTER ON SERVER %s %s", strArr));
                AnalyzesOk(String.format("%s ALTER ON SERVER server1 %s %s", strArr));
                AnalyzesOk(String.format("%s ALTER ON DATABASE functional %s %s", strArr));
                AnalyzesOk(String.format("%s ALTER ON TABLE functional.alltypes %s %s", strArr));
                AnalysisError(String.format("%s ALTER ON URI 'hdfs:////abc/123' %s %s", strArr), "Only 'ALL' privilege may be applied at URI scope in privilege spec.");
                AnalysisError(String.format("%s ALTER ON STORAGEHANDLER_URI 'kudu://localhost/tbl' %s %s", strArr), "Only 'RWSTORAGE' privilege may be applied at storage handler URI scope in privilege spec.");
                AnalyzesOk(String.format("%s DROP ON SERVER %s %s", strArr));
                AnalyzesOk(String.format("%s DROP ON SERVER server1 %s %s", strArr));
                AnalyzesOk(String.format("%s DROP ON DATABASE functional %s %s", strArr));
                AnalyzesOk(String.format("%s DROP ON TABLE functional.alltypes %s myrole", strArr));
                AnalysisError(String.format("%s DROP ON URI 'hdfs:////abc/123' %s %s", strArr), "Only 'ALL' privilege may be applied at URI scope in privilege spec.");
                AnalysisError(String.format("%s DROP ON STORAGEHANDLER_URI 'kudu://localhost/tbl' %s %s", strArr), "Only 'RWSTORAGE' privilege may be applied at storage handler URI scope in privilege spec.");
                AnalyzesOk(String.format("%s RWSTORAGE ON STORAGEHANDLER_URI 'kudu://localhost/tbl' %s %s", strArr));
                AnalyzesOk(String.format("%s RWSTORAGE ON STORAGEHANDLER_URI '*://*' %s %s", strArr));
                AnalyzesOk(String.format("%s RWSTORAGE ON STORAGEHANDLER_URI 'kudu://*' %s %s", strArr));
                AnalyzesOk(String.format("%s RWSTORAGE ON STORAGEHANDLER_URI 'kudu://localhost/*' %s %s", strArr));
                AnalysisError(String.format("%s DROP ON STORAGEHANDLER_URI 'abc://localhost/tbl' %s %s", strArr), "The storage type \"abc\" is not supported. A storage handler URI should be in the form of <storage_type>://<hostname>[:<port>]/<path_to_resource>.");
                AnalysisError(String.format("%s RWSTORAGE ON STORAGEHANDLER_URI 'kudu://*/*' %s %s", strArr), "A storage handler URI should be in the form of <storage_type>://<hostname>[:<port>]/<path_to_resource>.");
            }
            AnalysisContext createAuthDisabledAnalysisCtx = createAuthDisabledAnalysisCtx();
            AnalysisError("GRANT ALL ON SERVER TO myRole", createAuthDisabledAnalysisCtx, "Authorization is not enabled.");
            AnalysisError("REVOKE ALL ON SERVER FROM myRole", createAuthDisabledAnalysisCtx, "Authorization is not enabled.");
            AnalysisError("GRANT ALL ON SERVER TO myRole", new AnalysisContext(TestUtils.createQueryContext("default", ""), new RangerAuthorizationFactory(new RangerAuthorizationConfig(RANGER_SERVICE_TYPE, RANGER_APP_ID, SERVER_NAME, (String) null, (String) null, (RangerPolicyEngineOptions) null)), new EventSequence("Authorization Test")), "Cannot execute authorization statement with an empty username.");
        }
    }
}
