package io.trino.aws.proxy.server;

import com.google.common.collect.ImmutableMap;
import com.google.inject.Inject;
import com.google.inject.Scopes;
import io.airlift.http.client.HttpClient;
import io.airlift.http.client.Request;
import io.airlift.http.client.StaticBodyGenerator;
import io.airlift.http.client.StatusResponseHandler;
import io.trino.aws.proxy.server.security.opa.ForOpa;
import io.trino.aws.proxy.server.testing.TestingTrinoAwsProxyServer;
import io.trino.aws.proxy.server.testing.containers.OpaContainer;
import io.trino.aws.proxy.server.testing.harness.BuilderFilter;
import io.trino.aws.proxy.server.testing.harness.TrinoAwsProxyTest;
import io.trino.aws.proxy.spi.credentials.Identity;
import io.trino.aws.proxy.spi.rest.ParsedS3Request;
import io.trino.aws.proxy.spi.security.opa.OpaRequest;
import io.trino.aws.proxy.spi.security.opa.OpaS3SecurityMapper;
import jakarta.ws.rs.core.UriBuilder;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.Objects;
import java.util.Optional;
import org.assertj.core.api.Assertions;
import org.assertj.core.api.InstanceOfAssertFactories;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import software.amazon.awssdk.services.s3.S3Client;
import software.amazon.awssdk.services.s3.model.GetObjectRequest;
import software.amazon.awssdk.services.s3.model.S3Exception;

@TrinoAwsProxyTest(filters = {Filter.class})
/* loaded from: input_file:io/trino/aws/proxy/server/TestOpaSecurity.class */
public class TestOpaSecurity {
    private final HttpClient httpClient;
    private final int containerPort;
    private final S3Client s3Client;
    private static final String POLICY = "package test\n\ndefault allow = false\n\nallow {\n\tinput.table = \"good\"\n}\n";

    /* loaded from: input_file:io/trino/aws/proxy/server/TestOpaSecurity$Filter.class */
    public static class Filter implements BuilderFilter {
        @Override // io.trino.aws.proxy.server.testing.harness.BuilderFilter
        public TestingTrinoAwsProxyServer.Builder filter(TestingTrinoAwsProxyServer.Builder builder) {
            return builder.withProperty("s3-security.type", "opa").withProperty("opa-s3-security.server-base-uri", "http://localhost/v1/data").addModule(binder -> {
                binder.bind(OpaS3SecurityMapper.class).to(OpaMapper.class).in(Scopes.SINGLETON);
            }).withS3Container().withOpaContainer();
        }
    }

    /* loaded from: input_file:io/trino/aws/proxy/server/TestOpaSecurity$OpaMapper.class */
    public static class OpaMapper implements OpaS3SecurityMapper {
        private final int containerPort;

        @Inject
        public OpaMapper(OpaContainer opaContainer) {
            this.containerPort = opaContainer.getPort();
        }

        public OpaRequest toRequest(ParsedS3Request parsedS3Request, Optional<String> optional, URI uri, Optional<Identity> optional2) {
            Assertions.assertThat(optional2).isPresent();
            return new OpaRequest(UriBuilder.fromUri(uri).port(this.containerPort).path("test").path("allow").build(new Object[0]), ImmutableMap.of("table", parsedS3Request.keyInBucket()));
        }
    }

    @Inject
    public TestOpaSecurity(@ForOpa HttpClient httpClient, OpaContainer opaContainer, S3Client s3Client) {
        this.httpClient = (HttpClient) Objects.requireNonNull(httpClient, "httpClient is null");
        this.containerPort = opaContainer.getPort();
        this.s3Client = (S3Client) Objects.requireNonNull(s3Client, "s3Client is null");
    }

    @BeforeAll
    public void setup() {
        Assertions.assertThat(((StatusResponseHandler.StatusResponse) this.httpClient.execute(Request.Builder.preparePut().setUri(URI.create("http://localhost:%s/v1/policies/test".formatted(Integer.valueOf(this.containerPort)))).setBodyGenerator(StaticBodyGenerator.createStaticBodyGenerator(POLICY, StandardCharsets.UTF_8)).build(), StatusResponseHandler.createStatusResponseHandler())).getStatusCode()).isEqualTo(200);
    }

    @Test
    public void testBadTable() {
        Assertions.assertThatThrownBy(() -> {
            this.s3Client.getObject((GetObjectRequest) GetObjectRequest.builder().bucket("hey").key("bad").build());
        }).asInstanceOf(InstanceOfAssertFactories.type(S3Exception.class)).extracting((v0) -> {
            return v0.statusCode();
        }).isEqualTo(401);
    }

    @Test
    public void testGoodTable() {
        Assertions.assertThatThrownBy(() -> {
            this.s3Client.getObject((GetObjectRequest) GetObjectRequest.builder().bucket("hey").key("good").build());
        }).asInstanceOf(InstanceOfAssertFactories.type(S3Exception.class)).extracting((v0) -> {
            return v0.statusCode();
        }).isEqualTo(404);
    }
}
