package io.trino.aws.proxy.server;

import com.google.common.collect.ImmutableMap;
import com.google.inject.Inject;
import com.google.inject.Scopes;
import io.airlift.http.client.HttpClient;
import io.airlift.http.client.Request;
import io.airlift.http.client.StaticBodyGenerator;
import io.airlift.http.client.StatusResponseHandler;
import io.trino.aws.proxy.server.security.opa.ForOpa;
import io.trino.aws.proxy.server.testing.TestingTrinoAwsProxyServer;
import io.trino.aws.proxy.server.testing.TestingUtil;
import io.trino.aws.proxy.server.testing.containers.OpaContainer;
import io.trino.aws.proxy.server.testing.containers.S3Container;
import io.trino.aws.proxy.server.testing.harness.BuilderFilter;
import io.trino.aws.proxy.server.testing.harness.TrinoAwsProxyTest;
import io.trino.aws.proxy.spi.credentials.Identity;
import io.trino.aws.proxy.spi.rest.ParsedS3Request;
import io.trino.aws.proxy.spi.security.SecurityResponse;
import io.trino.aws.proxy.spi.security.opa.OpaClient;
import io.trino.aws.proxy.spi.security.opa.OpaRequest;
import io.trino.aws.proxy.spi.security.opa.OpaS3SecurityFacade;
import jakarta.ws.rs.core.UriBuilder;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.Objects;
import java.util.Optional;
import org.assertj.core.api.Assertions;
import org.assertj.core.api.InstanceOfAssertFactories;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import software.amazon.awssdk.core.sync.RequestBody;
import software.amazon.awssdk.services.s3.S3Client;
import software.amazon.awssdk.services.s3.model.GetObjectRequest;
import software.amazon.awssdk.services.s3.model.S3Exception;

@TrinoAwsProxyTest(filters = {Filter.class})
/* loaded from: input_file:io/trino/aws/proxy/server/TestOpaSecurity.class */
public class TestOpaSecurity {
    private final HttpClient httpClient;
    private final S3Client s3Client;
    private final S3Client storageClient;
    private final String opaContainerHost;
    private final int opaContainerPort;
    private static final String POLICY = "package test\n\ndefault allow = false\n\nallow {\n\tinput.table = \"good\"\n}\n";

    /* loaded from: input_file:io/trino/aws/proxy/server/TestOpaSecurity$Filter.class */
    public static class Filter implements BuilderFilter {
        @Override // io.trino.aws.proxy.server.testing.harness.BuilderFilter
        public TestingTrinoAwsProxyServer.Builder filter(TestingTrinoAwsProxyServer.Builder builder) {
            return builder.withProperty("s3-security.type", "opa").withProperty("opa-s3-security.server-base-uri", "http://localhost/v1/data").addModule(binder -> {
                binder.bind(OpaS3SecurityFacade.class).to(TestingOpaS3SecurityFacade.class).in(Scopes.SINGLETON);
            }).withS3Container().withOpaContainer();
        }
    }

    /* loaded from: input_file:io/trino/aws/proxy/server/TestOpaSecurity$TestingOpaS3SecurityFacade.class */
    public static class TestingOpaS3SecurityFacade implements OpaS3SecurityFacade {
        private final OpaClient opaClient;
        private final String opaContainerHost;
        private final int opaContainerPort;

        @Inject
        public TestingOpaS3SecurityFacade(OpaContainer opaContainer, OpaClient opaClient) {
            this.opaContainerHost = opaContainer.getHost();
            this.opaContainerPort = opaContainer.getPort();
            this.opaClient = (OpaClient) Objects.requireNonNull(opaClient, "opaClient is null");
        }

        public SecurityResponse apply(ParsedS3Request parsedS3Request, Optional<String> optional, URI uri, Optional<Identity> optional2) {
            Assertions.assertThat(optional2).isPresent();
            if (parsedS3Request.keyInBucket().equals("default-allow")) {
                return SecurityResponse.SUCCESS;
            }
            if (parsedS3Request.keyInBucket().equals("default-deny")) {
                return SecurityResponse.FAILURE;
            }
            return this.opaClient.getSecurityResponse(new OpaRequest(UriBuilder.fromUri(uri).host(this.opaContainerHost).port(this.opaContainerPort).path("test").path("allow").build(new Object[0]), ImmutableMap.of("table", parsedS3Request.keyInBucket())));
        }
    }

    @Inject
    public TestOpaSecurity(@ForOpa HttpClient httpClient, S3Client s3Client, @S3Container.ForS3Container S3Client s3Client2, OpaContainer opaContainer) {
        this.httpClient = (HttpClient) Objects.requireNonNull(httpClient, "httpClient is null");
        this.s3Client = (S3Client) Objects.requireNonNull(s3Client, "s3Client is null");
        this.storageClient = (S3Client) Objects.requireNonNull(s3Client2, "storageClient is null");
        this.opaContainerHost = opaContainer.getHost();
        this.opaContainerPort = opaContainer.getPort();
    }

    @BeforeAll
    public void setup() {
        Assertions.assertThat(((StatusResponseHandler.StatusResponse) this.httpClient.execute(Request.Builder.preparePut().setUri(UriBuilder.newInstance().scheme("http").host(this.opaContainerHost).port(this.opaContainerPort).path("v1/policies/test").build(new Object[0])).setBodyGenerator(StaticBodyGenerator.createStaticBodyGenerator(POLICY, StandardCharsets.UTF_8)).build(), StatusResponseHandler.createStatusResponseHandler())).getStatusCode()).isEqualTo(200);
        this.storageClient.createBucket(builder -> {
            builder.bucket("opa-test-bucket");
        });
    }

    @Test
    public void testOPAPolicyAllowance() throws IOException {
        String str = "opa-test-bucket";
        String str2 = "good";
        this.storageClient.putObject(builder -> {
            builder.bucket(str).key(str2);
        }, RequestBody.fromString("test-content"));
        Assertions.assertThat(TestingUtil.getFileFromStorage(this.s3Client, "opa-test-bucket", "good")).isEqualTo("test-content");
    }

    @Test
    public void testOPAPolicyDisAllowance() {
        String str = "opa-test-bucket";
        String str2 = "bad";
        this.storageClient.putObject(builder -> {
            builder.bucket(str).key(str2);
        }, RequestBody.fromString("test-content"));
        Assertions.assertThatThrownBy(() -> {
            this.s3Client.getObject((GetObjectRequest) GetObjectRequest.builder().bucket(str).key(str2).build());
        }).asInstanceOf(InstanceOfAssertFactories.type(S3Exception.class)).extracting((v0) -> {
            return v0.statusCode();
        }).isEqualTo(401);
    }

    @Test
    public void testFastrackSuccess() throws IOException {
        String str = "opa-test-bucket";
        String str2 = "default-allow";
        this.storageClient.putObject(builder -> {
            builder.bucket(str).key(str2);
        }, RequestBody.fromString("test-content"));
        Assertions.assertThat(TestingUtil.getFileFromStorage(this.s3Client, "opa-test-bucket", "default-allow")).isEqualTo("test-content");
    }

    @Test
    public void testFastrackFailure() {
        String str = "opa-test-bucket";
        String str2 = "default-deny";
        this.storageClient.putObject(builder -> {
            builder.bucket(str).key(str2);
        }, RequestBody.fromString("test-content"));
        Assertions.assertThatThrownBy(() -> {
            this.s3Client.getObject((GetObjectRequest) GetObjectRequest.builder().bucket(str).key(str2).build());
        }).asInstanceOf(InstanceOfAssertFactories.type(S3Exception.class)).extracting((v0) -> {
            return v0.statusCode();
        }).isEqualTo(401);
    }
}
