package io.confluent.connect.secretregistry;

import io.confluent.connect.secretregistry.rbac.SecretRegistryActions;
import io.confluent.connect.secretregistry.rbac.SecretRegistryOperations;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.Scope;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.ArgumentCaptor;
import org.mockito.Captor;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.runners.MockitoJUnitRunner;

@RunWith(MockitoJUnitRunner.class)
/* loaded from: input_file:io/confluent/connect/secretregistry/ConnectSecretRegistryFilterTest.class */
public class ConnectSecretRegistryFilterTest {
    protected static final KafkaPrincipal PRINCIPAL = new KafkaPrincipal("User", "prince");
    protected static final Scope SCOPE = new Scope.Builder(new String[0]).withKafkaCluster("clusterOne").withCluster("connect-cluster", "clusterTypeOne").build();
    protected static final List<String> PATHS = Arrays.asList("pathOne", "pathTwo", "pathRed", "pathBlue");
    protected static final List<String> VISIBLE_PATHS = Arrays.asList("pathOne", "pathBlue");
    protected static Method DUMMY_METHOD;

    @Mock
    protected SecretRegistryActions secretRegistryActions;

    @Mock
    protected ResourceInfo resourceInfo;

    @Mock
    protected ContainerRequestContext requestContext;

    @Mock
    protected ContainerResponseContext responseContext;
    protected MockAuthorizer authorizer;
    protected ConnectSecretRegistryFilter connectSecretRegistryFilter;

    @Captor
    private ArgumentCaptor<Collection<String>> pathsCaptor;

    @Before
    public void setup() {
        this.authorizer = new MockAuthorizer();
        VISIBLE_PATHS.forEach(str -> {
            this.authorizer.allowPathOperations(PRINCIPAL, str, SecretRegistryOperations.READ);
        });
        SecurityContext securityContext = (SecurityContext) Mockito.mock(SecurityContext.class);
        Mockito.when(this.requestContext.getSecurityContext()).thenReturn(securityContext);
        Mockito.when(securityContext.getUserPrincipal()).thenReturn(PRINCIPAL);
        Mockito.when(this.responseContext.getEntity()).thenReturn(PATHS);
        this.connectSecretRegistryFilter = new ConnectSecretRegistryFilter(SCOPE, this.secretRegistryActions, this.authorizer, this.resourceInfo);
    }

    @Test
    public void shouldNotTryToFilterNonPathsListRequest() {
        expectResponseStatus(Response.Status.OK);
        expectRequestMethod(DUMMY_METHOD);
        filterResponse();
        ((ContainerResponseContext) Mockito.verify(this.responseContext, Mockito.atLeastOnce())).getStatus();
        Mockito.verifyNoMoreInteractions(new Object[]{this.responseContext});
        Mockito.verifyNoMoreInteractions(new Object[]{this.requestContext});
    }

    @Test
    public void shouldNotTryToFilterPathsListOnFailedRequest() {
        expectPathsRequest(false);
        filterResponse();
        ((ContainerResponseContext) Mockito.verify(this.responseContext, Mockito.atLeastOnce())).getStatus();
        Mockito.verifyNoMoreInteractions(new Object[]{this.responseContext});
        Mockito.verifyNoMoreInteractions(new Object[]{this.requestContext});
    }

    @Test
    public void shouldFilterPathsListOnSuccessfulRequest() {
        expectPathsRequest(true);
        filterResponse();
        ((ContainerResponseContext) Mockito.verify(this.responseContext)).setEntity(this.pathsCaptor.capture());
        assertPathListMatches(VISIBLE_PATHS, (Collection) this.pathsCaptor.getValue());
    }

    @Test
    public void shouldListPathWithAnyPermittedPathOperation() {
        String str = "replicatorIsTotallyAPathCommaNathan";
        Set singleton = Collections.singleton("replicatorIsTotallyAPathCommaNathan");
        SecretRegistryOperations.ALL.forEach(operation -> {
            Mockito.reset(new Object[]{this.resourceInfo, this.responseContext});
            this.authorizer.clear();
            expectResponseStatus(Response.Status.OK);
            expectRequestMethod(ConnectSecretRegistryFilter.LIST_PATHS_METHOD);
            Mockito.when(this.responseContext.getEntity()).thenReturn(singleton);
            this.authorizer.allowPathOperations(PRINCIPAL, str, operation);
            filterResponse();
            ((ContainerResponseContext) Mockito.verify(this.responseContext)).setEntity(this.pathsCaptor.capture());
            assertPathListMatches(singleton, (Collection) this.pathsCaptor.getValue());
        });
    }

    @Test
    public void shouldAllowActionsThatDoNotRequireAuthorization() throws Exception {
        this.authorizer.expectAuthorization(false);
        expectRequestMethod(DUMMY_METHOD);
        Mockito.when(this.secretRegistryActions.actions(DUMMY_METHOD, this.requestContext)).thenReturn(Collections.emptyList());
        filterRequest();
        Mockito.verifyNoMoreInteractions(new Object[]{this.requestContext});
    }

    @Test
    public void shouldAllowAuthorizedActions() throws Exception {
        String str = "rotcennoc";
        this.authorizer.clear();
        this.authorizer.allowPathOperations(PRINCIPAL, "rotcennoc", SecretRegistryOperations.READ, SecretRegistryOperations.DELETE);
        expectRequestMethod(DUMMY_METHOD);
        Mockito.when(this.secretRegistryActions.actions(DUMMY_METHOD, this.requestContext)).thenReturn(Stream.of((Object[]) new Operation[]{SecretRegistryOperations.READ, SecretRegistryOperations.DELETE}).map(operation -> {
            return new Action(SCOPE, SecretRegistryActions.SECRET_RESOURCE, str, operation);
        }).collect(Collectors.toList()));
        filterRequest();
    }

    @Test
    public void shouldDisallowUnauthenticatedActions() throws Exception {
        String str = "rotcennoc";
        this.authorizer.clear();
        expectRequestMethod(DUMMY_METHOD);
        Mockito.when(this.secretRegistryActions.actions(DUMMY_METHOD, this.requestContext)).thenReturn(Stream.of((Object[]) new Operation[]{SecretRegistryOperations.READ, SecretRegistryOperations.DELETE}).map(operation -> {
            return new Action(SCOPE, SecretRegistryActions.SECRET_RESOURCE, str, operation);
        }).collect(Collectors.toList()));
        SecurityContext securityContext = (SecurityContext) Mockito.mock(SecurityContext.class);
        Mockito.when(securityContext.getUserPrincipal()).thenReturn((Object) null);
        Mockito.when(this.requestContext.getSecurityContext()).thenReturn(securityContext);
        ArgumentCaptor forClass = ArgumentCaptor.forClass(Response.class);
        filterRequest();
        ((ContainerRequestContext) Mockito.verify(this.requestContext)).abortWith((Response) forClass.capture());
        Assert.assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), ((Response) forClass.getValue()).getStatus());
    }

    @Test
    public void shouldDisallowUnauthorizedActions() throws Exception {
        String str = "rotcennoc";
        this.authorizer.clear();
        expectRequestMethod(DUMMY_METHOD);
        Mockito.when(this.secretRegistryActions.actions(DUMMY_METHOD, this.requestContext)).thenReturn(Stream.of((Object[]) new Operation[]{SecretRegistryOperations.READ, SecretRegistryOperations.DELETE}).map(operation -> {
            return new Action(SCOPE, SecretRegistryActions.SECRET_RESOURCE, str, operation);
        }).collect(Collectors.toList()));
        ArgumentCaptor forClass = ArgumentCaptor.forClass(Response.class);
        filterRequest();
        ((ContainerRequestContext) Mockito.verify(this.requestContext)).abortWith((Response) forClass.capture());
        Assert.assertEquals(Response.Status.FORBIDDEN.getStatusCode(), ((Response) forClass.getValue()).getStatus());
    }

    protected void filterRequest() throws Exception {
        this.connectSecretRegistryFilter.filter(this.requestContext);
    }

    protected void filterResponse() {
        this.connectSecretRegistryFilter.filter(this.requestContext, this.responseContext);
    }

    protected void expectPathsRequest(boolean z) {
        expectResponseStatus(z ? Response.Status.OK : Response.Status.UNAUTHORIZED);
        expectRequestMethod(ConnectSecretRegistryFilter.LIST_PATHS_METHOD);
    }

    protected void expectRequestMethod(Method method) {
        Mockito.when(this.resourceInfo.getResourceMethod()).thenReturn(method);
    }

    protected void expectResponseStatus(Response.Status status) {
        Mockito.when(Integer.valueOf(this.responseContext.getStatus())).thenReturn(Integer.valueOf(status.getStatusCode()));
    }

    protected void assertPathListMatches(Collection<String> collection, Collection<String> collection2) {
        Assert.assertEquals(new HashSet(collection), new HashSet(collection2));
        Assert.assertEquals(collection.size(), collection2.size());
    }

    public void dummyMethod() {
    }

    static {
        try {
            DUMMY_METHOD = ConnectSecretRegistryFilterTest.class.getMethod("dummyMethod", new Class[0]);
        } catch (NoSuchMethodException e) {
            throw new RuntimeException("Failed to locate method used during testing");
        }
    }
}
