package co.cask.cdap.security.spi.authorization;

import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.proto.security.Role;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Set;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:co/cask/cdap/security/spi/authorization/AuthorizerTest.class */
public abstract class AuthorizerTest {
    private final NamespaceId namespace = new NamespaceId("foo");
    private final Principal user = new Principal("alice", Principal.PrincipalType.USER);

    protected abstract Authorizer get();

    @Test
    public void testSimple() throws Exception {
        Authorizer authorizer = get();
        verifyAuthFailure(this.namespace, this.user, Action.READ);
        authorizer.grant(this.namespace, this.user, Collections.singleton(Action.READ));
        authorizer.enforce(this.namespace, this.user, Action.READ);
        HashSet hashSet = new HashSet();
        hashSet.add(new Privilege(this.namespace, Action.READ));
        Assert.assertEquals(hashSet, authorizer.listPrivileges(this.user));
        authorizer.revoke(this.namespace, this.user, Collections.singleton(Action.READ));
        verifyAuthFailure(this.namespace, this.user, Action.READ);
    }

    @Test
    public void testWildcard() throws Exception {
        Authorizer authorizer = get();
        verifyAuthFailure(this.namespace, this.user, Action.READ);
        authorizer.grant(this.namespace, this.user, EnumSet.allOf(Action.class));
        authorizer.enforce(this.namespace, this.user, Action.READ);
        authorizer.enforce(this.namespace, this.user, Action.WRITE);
        authorizer.enforce(this.namespace, this.user, Action.ADMIN);
        authorizer.enforce(this.namespace, this.user, Action.EXECUTE);
        authorizer.revoke(this.namespace, this.user, EnumSet.allOf(Action.class));
        verifyAuthFailure(this.namespace, this.user, Action.READ);
    }

    @Test
    public void testAll() throws Exception {
        Authorizer authorizer = get();
        verifyAuthFailure(this.namespace, this.user, Action.READ);
        authorizer.grant(this.namespace, this.user, EnumSet.allOf(Action.class));
        authorizer.enforce(this.namespace, this.user, Action.READ);
        authorizer.enforce(this.namespace, this.user, Action.WRITE);
        authorizer.enforce(this.namespace, this.user, Action.ADMIN);
        authorizer.enforce(this.namespace, this.user, Action.EXECUTE);
        authorizer.revoke(this.namespace, this.user, EnumSet.allOf(Action.class));
        verifyAuthFailure(this.namespace, this.user, Action.READ);
        Principal principal = new Principal("admins", Principal.PrincipalType.ROLE);
        authorizer.grant(this.namespace, this.user, Collections.singleton(Action.READ));
        authorizer.grant(this.namespace, principal, EnumSet.allOf(Action.class));
        authorizer.revoke(this.namespace);
        verifyAuthFailure(this.namespace, this.user, Action.READ);
        verifyAuthFailure(this.namespace, principal, Action.ADMIN);
        verifyAuthFailure(this.namespace, principal, Action.READ);
        verifyAuthFailure(this.namespace, principal, Action.WRITE);
        verifyAuthFailure(this.namespace, principal, Action.EXECUTE);
    }

    @Test
    public void testRBAC() throws Exception {
        Authorizer authorizer = get();
        Role role = new Role("admins");
        Role role2 = new Role("engineers");
        authorizer.createRole(role);
        authorizer.createRole(role2);
        Set listAllRoles = authorizer.listAllRoles();
        HashSet hashSet = new HashSet();
        hashSet.add(role);
        hashSet.add(role2);
        Assert.assertEquals(hashSet, listAllRoles);
        try {
            authorizer.createRole(role);
            Assert.fail(String.format("Created a role %s which already exists. Should have failed.", role.getName()));
        } catch (RoleAlreadyExistsException e) {
        }
        authorizer.dropRole(role);
        Assert.assertEquals(Collections.singleton(role2), authorizer.listAllRoles());
        try {
            authorizer.dropRole(role);
            Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", role.getName()));
        } catch (RoleNotFoundException e2) {
        }
        Principal principal = new Principal("spiderman", Principal.PrincipalType.USER);
        authorizer.addRoleToPrincipal(role2, principal);
        try {
            authorizer.addRoleToPrincipal(role, principal);
            Assert.fail(String.format("Added role %s to principal %s. Should have failed.", role, principal));
        } catch (RoleNotFoundException e3) {
        }
        Assert.assertEquals(Collections.singleton(role2), authorizer.listRoles(principal));
        NamespaceId namespaceId = new NamespaceId("ns1");
        verifyAuthFailure(namespaceId, principal, Action.READ);
        authorizer.grant(namespaceId, role2, Collections.singleton(Action.READ));
        authorizer.enforce(namespaceId, principal, Action.READ);
        Assert.assertEquals(Collections.singleton(new Privilege(namespaceId, Action.READ)), authorizer.listPrivileges(principal));
        authorizer.revoke(namespaceId, role2, Collections.singleton(Action.READ));
        Assert.assertEquals(Collections.EMPTY_SET, authorizer.listPrivileges(principal));
        verifyAuthFailure(namespaceId, principal, Action.READ);
        authorizer.removeRoleFromPrincipal(role2, principal);
        Assert.assertEquals(Collections.EMPTY_SET, authorizer.listRoles(principal));
        try {
            authorizer.removeRoleFromPrincipal(role, principal);
            Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", role, principal));
        } catch (RoleNotFoundException e4) {
        }
    }

    private void verifyAuthFailure(EntityId entityId, Principal principal, Action action) throws Exception {
        try {
            get().enforce(entityId, principal, action);
            Assert.fail(String.format("Expected authorization failure, but it succeeded for entity %s, principal %s, action %s", entityId, principal, action));
        } catch (UnauthorizedException e) {
        }
    }
}
