package io.confluent.ksql.security.authorizer;

import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.ksql.rest.server.resources.KsqlResource;
import io.confluent.ksql.rest.server.resources.ServerInfoResource;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.auth.client.provider.HttpBearerCredentialProvider;
import io.confluent.security.auth.client.provider.HttpCredentialProvider;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.ArgumentMatcher;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.runners.MockitoJUnitRunner;

@RunWith(MockitoJUnitRunner.class)
/* loaded from: input_file:io/confluent/ksql/security/authorizer/KsqlRestAuthorizerTest.class */
public class KsqlRestAuthorizerTest {
    private static final String GET_METHOD = "GET";

    @Mock
    private RestAuthorizer restAuthorizer;

    @Mock
    private ResourceActionsMapping resourceActionsMapping;

    @Mock
    private JwtPrincipal principalUser1;
    private KsqlRestAuthorizer ksqlAuthorizer;
    private static final Class KSQL_RESOURCE = KsqlResource.class;
    private static final Scope SCOPE_CLUSTER = new Scope.Builder(new String[0]).withCluster("ksql-cluster", "ksql-id").withKafkaCluster("kafka-id").build();
    private static final ResourceType KSQL_CLUSTER = new ResourceType("KsqlCluster");
    private static final Operation CONTRIBUTE = new Operation("Contribute");

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/ksql/security/authorizer/KsqlRestAuthorizerTest$BearerCredentialsMatcher.class */
    public class BearerCredentialsMatcher extends ArgumentMatcher<HttpBearerCredentialProvider> {
        private final HttpBearerCredentialProvider credentialProvider;

        public BearerCredentialsMatcher(HttpBearerCredentialProvider httpBearerCredentialProvider) {
            this.credentialProvider = httpBearerCredentialProvider;
        }

        public boolean matches(Object obj) {
            if (obj == null || !(obj instanceof HttpBearerCredentialProvider)) {
                return false;
            }
            return this.credentialProvider.getCredentials().equals(((HttpBearerCredentialProvider) obj).getCredentials());
        }
    }

    @Before
    public void setUp() {
        this.ksqlAuthorizer = new KsqlRestAuthorizer(this.restAuthorizer, this.resourceActionsMapping);
        Mockito.when(this.principalUser1.getName()).thenReturn("user_1");
        Mockito.when(this.principalUser1.getJwt()).thenReturn("user_1_token");
    }

    @Test
    public void authorizeShouldReturnTrueOnAllowedOperation() {
        givenResourceMapping(KSQL_RESOURCE, GET_METHOD, SCOPE_CLUSTER, KSQL_CLUSTER, CONTRIBUTE);
        givenUserPermission(AuthorizeResult.ALLOWED, this.principalUser1, SCOPE_CLUSTER, KSQL_CLUSTER, CONTRIBUTE);
        Assert.assertThat(Boolean.valueOf(this.ksqlAuthorizer.hasAccess(this.principalUser1, KSQL_RESOURCE, GET_METHOD)), CoreMatchers.is(true));
    }

    @Test
    public void authorizeShouldReturnFalseOnDeniedOperation() {
        givenResourceMapping(KSQL_RESOURCE, GET_METHOD, SCOPE_CLUSTER, KSQL_CLUSTER, CONTRIBUTE);
        givenUserPermission(AuthorizeResult.DENIED, this.principalUser1, SCOPE_CLUSTER, KSQL_CLUSTER, CONTRIBUTE);
        Assert.assertThat(Boolean.valueOf(this.ksqlAuthorizer.hasAccess(this.principalUser1, KSQL_RESOURCE, GET_METHOD)), CoreMatchers.is(false));
    }

    @Test
    public void authorizeShouldReturnFalseOnActionNoFound() {
        givenResourceMapping(KSQL_RESOURCE, GET_METHOD, SCOPE_CLUSTER, KSQL_CLUSTER, CONTRIBUTE);
        Assert.assertThat(Boolean.valueOf(this.ksqlAuthorizer.hasAccess(this.principalUser1, KSQL_RESOURCE, GET_METHOD)), CoreMatchers.is(false));
    }

    @Test
    public void authorizeShouldReturnFalseOnResourceMappingNotFound() {
        givenNoResourceMapping(KSQL_RESOURCE, GET_METHOD);
        Assert.assertThat(Boolean.valueOf(this.ksqlAuthorizer.hasAccess(this.principalUser1, KSQL_RESOURCE, GET_METHOD)), CoreMatchers.is(false));
    }

    @Test
    public void authorizeShouldReturnTrueOnServerInfoResource() {
        Assert.assertThat(Boolean.valueOf(this.ksqlAuthorizer.hasAccess(this.principalUser1, ServerInfoResource.class, GET_METHOD)), CoreMatchers.is(true));
    }

    private void givenNoResourceMapping(Class cls, String str) {
        Mockito.when(this.resourceActionsMapping.get(cls, str)).thenReturn(Optional.empty());
    }

    private void givenResourceMapping(Class cls, String str, Scope scope, ResourceType resourceType, Operation operation) {
        Mockito.when(this.resourceActionsMapping.get(cls, str)).thenReturn(Optional.of(new Action(scope, resourceType, "ksql-cluster", operation)));
    }

    private void givenUserPermission(AuthorizeResult authorizeResult, JwtPrincipal jwtPrincipal, Scope scope, ResourceType resourceType, Operation operation) {
        Mockito.when(this.restAuthorizer.authorize((HttpCredentialProvider) Mockito.argThat(new BearerCredentialsMatcher(toBearerCredentials(jwtPrincipal))), (KafkaPrincipal) Mockito.any(), (String) Mockito.any(), (List) Mockito.eq(Collections.singletonList(new Action(scope, resourceType, "ksql-cluster", operation))))).thenReturn(Collections.singletonList(authorizeResult));
    }

    private static HttpBearerCredentialProvider toBearerCredentials(JwtPrincipal jwtPrincipal) {
        return new HttpBearerCredentialProvider(jwtPrincipal.getJwt());
    }
}
