package io.stargate.it.bridge;

import com.fasterxml.jackson.databind.ObjectMapper;
import io.grpc.StatusRuntimeException;
import io.stargate.it.driver.CqlSessionExtension;
import io.stargate.it.driver.CqlSessionSpec;
import io.stargate.it.storage.StargateConnectionInfo;
import io.stargate.it.storage.StargateParameters;
import io.stargate.it.storage.StargateSpec;
import io.stargate.proto.QueryOuterClass;
import java.io.IOException;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;

@ExtendWith({CqlSessionExtension.class})
@CqlSessionSpec(initQueries = {"CREATE ROLE IF NOT EXISTS 'read_only_user' WITH PASSWORD = 'read_only_user' AND LOGIN = TRUE", "CREATE ROLE IF NOT EXISTS 'not_even_reads_user' WITH PASSWORD = 'tiger' AND LOGIN = TRUE", "CREATE KEYSPACE IF NOT EXISTS bridge_table_token_test WITH REPLICATION = {'class':'SimpleStrategy', 'replication_factor':'1'}", "CREATE TABLE IF NOT EXISTS bridge_table_token_test.tbl_test (key text PRIMARY KEY, value text)", "INSERT INTO bridge_table_token_test.tbl_test (key, value) VALUES ('a', 'alpha')", "GRANT SELECT ON KEYSPACE bridge_table_token_test TO read_only_user"})
@StargateSpec(parametersCustomizer = "buildParameters")
/* loaded from: input_file:io/stargate/it/bridge/BridgeAuthorizationTest.class */
public class BridgeAuthorizationTest extends BridgeIntegrationTest {
    private final String keyspaceName = "bridge_table_token_test";
    private final String tableName = "tbl_test";
    private final String readOnlyUsername = "read_only_user";
    private final String readOnlyPassword = "read_only_user";
    private final String noAccessUsername = "not_even_reads_user";
    private final String noAccessPassword = "tiger";
    private static final ObjectMapper objectMapper = new ObjectMapper();
    private String authUrlBase;

    @BeforeEach
    public void perTestSetup(StargateConnectionInfo stargateConnectionInfo) {
        this.authUrlBase = "http://" + stargateConnectionInfo.seedAddress() + ":8081";
    }

    public static void buildParameters(StargateParameters.Builder builder) {
        builder.enableAuth(true);
        builder.putSystemProperties("stargate.auth_id", "AuthTableBasedService");
    }

    @Test
    public void createKeyspaceCheckAuthorization() throws IOException {
        String format = String.format("CREATE KEYSPACE %s WITH REPLICATION = {'class':'SimpleStrategy', 'replication_factor':'1'}", "ks_bridgeAuthnzTest_CreateKS");
        Assertions.assertThatThrownBy(() -> {
            stubWithCallCredentials("not-a-token-that-exists").executeQuery(QueryOuterClass.Query.newBuilder().setCql(format).build());
        }).isInstanceOf(StatusRuntimeException.class).hasMessageContaining("UNAUTHENTICATED").hasMessageContaining("Invalid token");
        String generateReadOnlyToken = generateReadOnlyToken();
        Assertions.assertThatThrownBy(() -> {
            stubWithCallCredentials(generateReadOnlyToken).executeQuery(QueryOuterClass.Query.newBuilder().setCql(format).build());
        }).isInstanceOf(StatusRuntimeException.class).hasMessageContaining("PERMISSION_DENIED").hasMessageContaining("has no CREATE permission");
        QueryOuterClass.Response executeQuery = stubWithCallCredentials(generateAdminToken()).executeQuery(QueryOuterClass.Query.newBuilder().setCql(format).build());
        Assertions.assertThat(executeQuery).isNotNull();
        Assertions.assertThat(executeQuery.getResultSet()).isNotNull();
    }

    @Test
    public void createTableCheckAuthorization() throws IOException {
        String format = String.format("CREATE TABLE bridge_table_token_test.%s (key text PRIMARY KEY, value text)", "test_table_to_create");
        Assertions.assertThatThrownBy(() -> {
            stubWithCallCredentials("not-a-token-that-exists").executeQuery(QueryOuterClass.Query.newBuilder().setCql(format).build());
        }).isInstanceOf(StatusRuntimeException.class).hasMessageContaining("UNAUTHENTICATED").hasMessageContaining("Invalid token");
        String generateReadOnlyToken = generateReadOnlyToken();
        Assertions.assertThatThrownBy(() -> {
            stubWithCallCredentials(generateReadOnlyToken).executeQuery(QueryOuterClass.Query.newBuilder().setCql(format).build());
        }).isInstanceOf(StatusRuntimeException.class).hasMessageContaining("PERMISSION_DENIED").hasMessageContaining("has no CREATE permission");
        QueryOuterClass.Response executeQuery = stubWithCallCredentials(generateAdminToken()).executeQuery(QueryOuterClass.Query.newBuilder().setCql(format).build());
        Assertions.assertThat(executeQuery).isNotNull();
        Assertions.assertThat(executeQuery.getResultSet()).isNotNull();
    }

    @Test
    public void selectFromTableCheckAuthorization() throws IOException {
        String format = String.format("SELECT * FROM %s.%s", "bridge_table_token_test", "tbl_test");
        QueryOuterClass.Response executeQuery = stubWithCallCredentials(generateReadOnlyToken()).executeQuery(QueryOuterClass.Query.newBuilder().setCql(format).build());
        Assertions.assertThat(executeQuery).isNotNull();
        Assertions.assertThat(executeQuery.getResultSet()).isNotNull();
        Assertions.assertThat(executeQuery.getResultSet().getRowsCount()).isEqualTo(1);
        String generateNoAccessToken = generateNoAccessToken();
        Assertions.assertThatThrownBy(() -> {
            stubWithCallCredentials(generateNoAccessToken).executeQuery(QueryOuterClass.Query.newBuilder().setCql(format).build());
        }).isInstanceOf(StatusRuntimeException.class).hasMessageContaining("PERMISSION_DENIED").hasMessageContaining("has no SELECT permission");
    }

    private String generateNoAccessToken() throws IOException {
        return generateAuthToken(this.authUrlBase, "not_even_reads_user", "tiger");
    }

    private String generateReadOnlyToken() throws IOException {
        return generateAuthToken(this.authUrlBase, "read_only_user", "read_only_user");
    }

    private String generateAdminToken() throws IOException {
        return generateAuthToken(this.authUrlBase, "cassandra", "cassandra");
    }
}
