Add hive catalog, Add proper integration tests for roles

Author: Flgado

README.md

@@ -314,7 +314,13 @@ dsn, err := c.FormatDSN()
 
 **Query parameter example (overrides DSN roles):**
 ```go
-rows, err := db.Query(query, sql.Named("X-Trino-Role", "catalog1:role1;catalog2:role2;catalog3:ALL"))
+rows, err := db.Query(
+    query,
+    sql.Named("X-Trino-Role", map[string]string{
+        "catalog1": "role1",
+        "catalog2": "role2",
+    }),
+)
 ```
 
 #### Examples

trino/etc/catalog/hive.properties

@@ -0,0 +1,5 @@
+connector.name=hive
+hive.metastore=file
+hive.metastore.catalog.dir=/tmp/metastore
+hive.security=sql-standard
+fs.hadoop.enabled=true

trino/integration_test.go

@@ -183,6 +183,11 @@ func TestMain(m *testing.M) {
 
 		waitForContainerHealth(trinoResource.Container.ID, "trino")
 
+		err = grantAdminRoleToTestUser()
+		if err != nil {
+			log.Printf("Warning: Failed to grant admin role to test user: %s", err)
+		}
+
 		*integrationServerFlag = "http://test@localhost:" + trinoResource.GetPort("8080/tcp")
 		tlsServer = "https://admin:admin@localhost:" + trinoResource.GetPort("8443/tcp")
 
@@ -218,6 +223,35 @@ func TestMain(m *testing.M) {
 	os.Exit(code)
 }
 
+func grantAdminRoleToTestUser() error {
+	grantSQL := "SET ROLE admin IN hive; GRANT admin TO USER test IN hive;"
+
+	execCmd := []string{
+		"trino",
+		"--user", "admin",
+		"--execute", grantSQL,
+	}
+	exec, err := pool.Client.CreateExec(docker.CreateExecOptions{
+		Container: trinoResource.Container.ID,
+		Cmd:       execCmd,
+	})
+	if err != nil {
+		log.Printf("Warning: Failed to create exec for GRANT: %s", err)
+	} else {
+		var stdout, stderr bytes.Buffer
+		err = pool.Client.StartExec(exec.ID, docker.StartExecOptions{
+			Detach:       false,
+			OutputStream: &stdout,
+			ErrorStream:  &stderr,
+		})
+		if err != nil {
+			log.Printf("Warning: Failed to execute GRANT: %s", err)
+		}
+	}
+
+	return err
+}
+
 func getOrCreateLocalStack(pool *dt.Pool, networkID string) *dt.Resource {
 	resource, ok := pool.ContainerByName(DockerLocalStackName)
 	if ok {
@@ -1033,18 +1067,41 @@ func TestIntegrationNoResults(t *testing.T) {
 }
 func TestRoleHeaderSupport(t *testing.T) {
 	tests := []struct {
-		name        string
-		config      Config
-		rawDSN      string
-		expectError bool
-		errorSubstr string
+		name         string
+		config       Config
+		rawDSN       string
+		query        string
+		expectError  bool
+		errorSubstr  string
+		validateRows func(t *testing.T, rows *sql.Rows)
 	}{
 		{
-			name: "Valid roles via Config",
+			name: "Valid hive admin role via Config",
+			config: Config{
+				ServerURI: *integrationServerFlag,
+				Roles:     map[string]string{"hive": "admin"},
+			},
+			query:       "SHOW ROLES FROM hive",
+			expectError: false,
+			validateRows: func(t *testing.T, rows *sql.Rows) {
+				foundAdmin := false
+				for rows.Next() {
+					var roleName string
+					err := rows.Scan(&roleName)
+					require.NoError(t, err)
+					if roleName == "admin" {
+						foundAdmin = true
+					}
+				}
+				require.True(t, foundAdmin, "Expected to find 'admin' role in SHOW ROLES output")
+			},
+		},
+		{
 			config: Config{
 				ServerURI: *integrationServerFlag,
-				Roles:     map[string]string{"tpch": "role1", "memory": "role2"},
+				Roles:     map[string]string{"tpch": "NONE", "memory": "ALL"},
 			},
+			query:       "SELECT 1",
 			expectError: false,
 		},
 		{
@@ -1053,24 +1110,71 @@ func TestRoleHeaderSupport(t *testing.T) {
 				ServerURI: *integrationServerFlag,
 				Roles:     map[string]string{"tpch": "NONE", "memory": "ALL"},
 			},
+			query:       "SELECT 1",
 			expectError: false,
 		},
 		{
-			name:        "Valid roles via DSN, not encoded url",
-			rawDSN:      *integrationServerFlag + "?roles=tpch:role1;memory:role2",
+			name:        "Valid hive admin role via DSN, not encoded url",
+			rawDSN:      *integrationServerFlag + "?roles=hive:admin",
+			query:       "SHOW ROLES FROM hive",
 			expectError: false,
+			validateRows: func(t *testing.T, rows *sql.Rows) {
+				foundAdmin := false
+				for rows.Next() {
+					var roleName string
+					err := rows.Scan(&roleName)
+					require.NoError(t, err)
+					if roleName == "admin" {
+						foundAdmin = true
+					}
+				}
+				require.True(t, foundAdmin, "Expected to find 'admin' role in SHOW ROLES output")
+			},
 		},
 		{
 			name:        "Valid roles via DSN, url encoded",
-			rawDSN:      *integrationServerFlag + "?roles%3Dtpch%3Arole1%3Bmemory%3Arole2",
+			rawDSN:      *integrationServerFlag + "?roles=hive:admin",
+			query:       "SHOW ROLES FROM hive",
 			expectError: false,
+			validateRows: func(t *testing.T, rows *sql.Rows) {
+				foundAdmin := false
+				for rows.Next() {
+					var roleName string
+					err := rows.Scan(&roleName)
+					require.NoError(t, err)
+					if roleName == "admin" {
+						foundAdmin = true
+					}
+				}
+				require.True(t, foundAdmin, "Expected to find 'admin' role in SHOW ROLES output")
+			},
+		},
+		{
+			name: "No role - should fail to show roles",
+			config: Config{
+				ServerURI: *integrationServerFlag,
+			},
+			query:       "SHOW ROLES FROM hive",
+			expectError: true,
+			errorSubstr: "Access Denied",
+		},
+		{
+			name: "Wrong role - should fail to show roles",
+			config: Config{
+				ServerURI: *integrationServerFlag,
+				Roles:     map[string]string{"hive": "ALL"},
+			},
+			query:       "SHOW ROLES FROM hive",
+			expectError: true,
+			errorSubstr: "Access Denied",
 		},
 		{
 			name: "Non-existent catalog role",
 			config: Config{
 				ServerURI: *integrationServerFlag,
 				Roles:     map[string]string{"not-exist-catalog": "role1"},
 			},
+			query:       "SELECT 1",
 			expectError: true,
 			errorSubstr: "USER_ERROR: Catalog",
 		},
@@ -1091,7 +1195,9 @@ func TestRoleHeaderSupport(t *testing.T) {
 			}
 
 			db := integrationOpen(t, dns)
-			_, err = db.Query("SELECT 1")
+			defer db.Close()
+
+			rows, err := db.Query(tt.query)
 
 			if tt.expectError {
 				require.Error(t, err)
@@ -1100,6 +1206,10 @@ func TestRoleHeaderSupport(t *testing.T) {
 				}
 			} else {
 				require.NoError(t, err)
+				if tt.validateRows != nil && rows != nil {
+					defer rows.Close()
+					tt.validateRows(t, rows)
+				}
 			}
 		})
 	}

trino/trino.go

@@ -487,27 +487,29 @@ func formatRolesFromMap(rolesMap map[string]string) string {
 	return strings.Join(formattedRoles, commaSeparator)
 }
 
-// parseAndFormatRoles parses roles from DSN format (catalog1:roleA;catalog2:roleB)
-// and formats them into the Trino header format
-func parseAndFormatRoles(rolesString string) (string, error) {
-	var formattedRoles []string
-	for _, entry := range strings.Split(rolesString, mapEntrySeparator) {
-		parts := strings.SplitN(entry, mapKeySeparator, 2)
-		if len(parts) != 2 {
-			return "", fmt.Errorf("invalid role entry: %q", entry)
-		}
-		formattedRoles = append(formattedRoles, formatRoleEntry(parts[0], parts[1]))
-	}
-	sort.Strings(formattedRoles)
-	return strings.Join(formattedRoles, commaSeparator), nil
-}
-
 // formatRoleEntry formats a single catalog role entry into Trino header format
 func formatRoleEntry(catalog, role string) string {
 	if role == "ALL" || role == "NONE" {
 		return fmt.Sprintf("%s=%s", catalog, role)
 	}
-	return fmt.Sprintf("%s=ROLE{%q}", catalog, role)
+	return fmt.Sprintf("%s=ROLE{%s}", catalog, role)
+}
+
+// formatHeaderValue converts a named argument value to a string suitable for HTTP headers.
+func formatHeaderValue(headerName string, value interface{}) (string, error) {
+	if headerName == trinoRoleHeader {
+		rolesMap, ok := value.(map[string]string)
+		if !ok {
+			return "", fmt.Errorf("%s must be a map[string]string, got %T", trinoRoleHeader, value)
+		}
+		return formatRolesFromMap(rolesMap), nil
+	}
+
+	headerValue, ok := value.(string)
+	if !ok {
+		return "", fmt.Errorf("%s must be a string, got %T", headerName, value)
+	}
+	return headerValue, nil
 }
 
 func newConn(dsn string) (*Conn, error) {
@@ -1041,6 +1043,10 @@ func (st *driverStmt) CheckNamedValue(arg *driver.NamedValue) error {
 				return nil
 			}
 
+			if arg.Name == trinoRoleHeader {
+				return nil
+			}
+
 			if arg.Name == trinoProgressCallbackParam {
 				return nil
 			}
@@ -1235,29 +1241,27 @@ func (st *driverStmt) exec(ctx context.Context, args []driver.NamedValue) (*stmt
 				continue
 			}
 
-			s, err := Serial(arg.Value)
-			if err != nil {
-				return nil, err
-			}
-
 			if strings.HasPrefix(arg.Name, trinoHeaderPrefix) {
-				headerValue := arg.Value.(string)
+				headerValue, err := formatHeaderValue(arg.Name, arg.Value)
+				if err != nil {
+					return nil, err
+				}
 
 				if arg.Name == trinoUserHeader {
 					st.user = headerValue
 				}
 
 				if arg.Name == trinoRoleHeader {
-					formattedRoles, err := parseAndFormatRoles(headerValue)
-					if err != nil {
-						return nil, err
-					}
-					st.conn.httpHeaders.Set(trinoRoleHeader, formattedRoles)
-					headerValue = formattedRoles
+					st.conn.httpHeaders.Set(trinoRoleHeader, headerValue)
 				}
 
 				hs.Add(arg.Name, headerValue)
 			} else {
+				s, err := Serial(arg.Value)
+				if err != nil {
+					return nil, err
+				}
+
 				if st.conn.useExplicitPrepare && hs.Get(preparedStatementHeader) == "" {
 					for _, v := range st.conn.httpHeaders.Values(preparedStatementHeader) {
 						hs.Add(preparedStatementHeader, v)

trino/trino_test.go

@@ -1347,24 +1347,24 @@ func TestQueryCancellation(t *testing.T) {
 	assert.EqualError(t, err, ErrQueryCancelled.Error(), "unexpected error")
 }
 
-func TestTrinoRoleHeader(t *testing.T) {
+func TestRoleHeader(t *testing.T) {
 	tests := []struct {
 		name           string
 		roles          map[string]string
-		namedArg       string
+		namedArgRoles  map[string]string
 		expectedHeader string
 	}{
 		{
 			name:           "Roles from config",
 			roles:          map[string]string{"catalog1": "role1", "catalog2": "role2"},
-			namedArg:       "",
-			expectedHeader: `catalog1=ROLE{"role1"},catalog2=ROLE{"role2"}`,
+			namedArgRoles:  nil,
+			expectedHeader: `catalog1=ROLE{role1},catalog2=ROLE{role2}`,
 		},
 		{
-			name:           "Override roles with named argument",
+			name:           "Override dsn roles with named argument",
 			roles:          map[string]string{"catalog1": "role1"},
-			namedArg:       `catalog3:role3;catalog4:role4;catalog5:ALL`,
-			expectedHeader: `catalog3=ROLE{"role3"},catalog4=ROLE{"role4"},catalog5=ALL`,
+			namedArgRoles:  map[string]string{"catalog3": "role3", "catalog4": "role4", "catalog5": "ALL"},
+			expectedHeader: `catalog3=ROLE{role3},catalog4=ROLE{role4},catalog5=ALL`,
 		},
 	}
 
@@ -1391,8 +1391,8 @@ func TestTrinoRoleHeader(t *testing.T) {
 			db, err := sql.Open("trino", dsn)
 			require.NoError(t, err)
 
-			if tt.namedArg != "" {
-				_, _ = db.Query("SELECT 1", sql.Named("X-Trino-Role", tt.namedArg))
+			if tt.namedArgRoles != nil {
+				_, _ = db.Query("SELECT 1", sql.Named("X-Trino-Role", tt.namedArgRoles))
 			} else {
 				_, _ = db.Query("SELECT 1")
 			}
@@ -2801,7 +2801,7 @@ func TestSetRoleHeader(t *testing.T) {
 	require.NoError(t, err)
 	require.NoError(t, rows.Close())
 
-	assert.Equal(t, `catalog=ROLE{"user"}`, firstRoleHeader, "initial role from DSN should be sent in first request")
+	assert.Equal(t, `catalog=ROLE{user}`, firstRoleHeader, "initial role from DSN should be sent in first request")
 	assert.Equal(t, "ROLE%7Badmin%7D", secondRoleHeader, "server-set role should be sent in subsequent requests")
 	assert.NotEqual(t, firstRoleHeader, secondRoleHeader, "role should have changed from DSN value to server-set value")
 }