package io.confluent.ksql.security.authorizer;

import com.google.common.collect.ImmutableList;
import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.ksql.security.AuthObjectType;
import io.confluent.ksql.security.KsqlAccessValidator;
import io.confluent.ksql.security.KsqlSecurityContext;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Operation;
import java.security.Principal;
import java.util.Arrays;
import java.util.List;
import java.util.Optional;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.errors.AuthorizationException;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.runners.MockitoJUnitRunner;

@RunWith(MockitoJUnitRunner.class)
/* loaded from: input_file:io/confluent/ksql/security/authorizer/KsqlAuthorizationProviderImplTest.class */
public class KsqlAuthorizationProviderImplTest {
    private static final String POST = "POST";
    private static final String SERVER_INFO_ENDPOINT = "/info";
    private static final String TERMINATE_ENDPOINT = "/ksql/terminate";
    private static final String KSQL_RESOURCE_TYPE = "KsqlCluster";

    @Mock
    private AuthorizationDecisionMaker authorizationDecisionMaker;

    @Mock
    private JwtPrincipal principalUser1;

    @Mock
    private KsqlAccessValidator kafkaPermissionsValidator;

    @Mock
    private KsqlSchemaRegistryPermissionsValidator srPermissionsValidator;

    @Mock
    private KsqlSecurityContext securityContext;
    private KsqlAuthorizationProviderImpl authorizationProvider;

    @Rule
    public final ExpectedException expectedException = ExpectedException.none();
    private static final List<String> ENDPOINTS_WITH_CONTRIBUTE = Arrays.asList("/", "/ksql", "/query", "/status");
    private static final Operation CONTRIBUTE = new Operation("Contribute");
    private static final Operation TERMINATE = new Operation("Terminate");

    @Before
    public void setUp() {
        this.authorizationProvider = new KsqlAuthorizationProviderImpl(this.authorizationDecisionMaker, this.kafkaPermissionsValidator, Optional.of(this.srPermissionsValidator));
        Mockito.when(this.principalUser1.getName()).thenReturn("user_1");
        Mockito.when(this.principalUser1.getJwt()).thenReturn("user_1_token");
    }

    @Test
    public void shouldAllowAccessToKsqlEndpointsIfUserHasContribute() {
        givenPermissionOnCluster(AuthorizeResult.ALLOWED, this.principalUser1, CONTRIBUTE);
        ENDPOINTS_WITH_CONTRIBUTE.forEach(str -> {
            this.authorizationProvider.checkEndpointAccess(this.principalUser1, POST, str);
        });
    }

    @Test
    public void shouldAllowAccessToTerminateEndpointIfUserHasTerminate() {
        givenPermissionOnCluster(AuthorizeResult.ALLOWED, this.principalUser1, TERMINATE);
        this.authorizationProvider.checkEndpointAccess(this.principalUser1, POST, TERMINATE_ENDPOINT);
    }

    @Test
    public void shouldAllowAccessOnServerInfoResource() {
        this.authorizationProvider.checkEndpointAccess(this.principalUser1, POST, SERVER_INFO_ENDPOINT);
    }

    @Test
    public void shouldDenyAccessToKsqlEndpointsIfUserDoesNotHaveContribute() {
        givenPermissionOnCluster(AuthorizeResult.DENIED, this.principalUser1, CONTRIBUTE);
        ENDPOINTS_WITH_CONTRIBUTE.forEach(str -> {
            try {
                this.authorizationProvider.checkEndpointAccess(this.principalUser1, POST, str);
                MatcherAssert.assertThat(String.format("\"%s %s\" should be denied", POST, str), false);
            } catch (Exception e) {
                MatcherAssert.assertThat(e, CoreMatchers.instanceOf(AuthorizationException.class));
                MatcherAssert.assertThat(e.getMessage(), CoreMatchers.is("You are forbidden from using this cluster."));
            }
        });
    }

    @Test
    public void shouldDenyAccessToTerminateEndpointIfUserDoesNotHaveTerminate() {
        givenPermissionOnCluster(AuthorizeResult.DENIED, this.principalUser1, TERMINATE);
        this.expectedException.expect(AuthorizationException.class);
        this.expectedException.expectMessage("You are forbidden from using this cluster.");
        this.authorizationProvider.checkEndpointAccess(this.principalUser1, POST, TERMINATE_ENDPOINT);
    }

    @Test
    public void shouldCallKafkaPermissionsValidatorWhenCheckingTopicPrivileges() {
        this.authorizationProvider.checkPrivileges(this.securityContext, AuthObjectType.TOPIC, "topic1", ImmutableList.of(AclOperation.WRITE, AclOperation.READ));
        ((KsqlAccessValidator) Mockito.verify(this.kafkaPermissionsValidator)).checkTopicAccess(this.securityContext, "topic1", AclOperation.WRITE);
        ((KsqlAccessValidator) Mockito.verify(this.kafkaPermissionsValidator)).checkTopicAccess(this.securityContext, "topic1", AclOperation.READ);
        Mockito.verifyNoMoreInteractions(new Object[]{this.kafkaPermissionsValidator});
        Mockito.verifyZeroInteractions(new Object[]{this.srPermissionsValidator});
    }

    @Test
    public void shouldCallSchemaRegistryPermissionsValidatorWhenCheckingSubjectPrivileges() {
        this.authorizationProvider.checkPrivileges(this.securityContext, AuthObjectType.SUBJECT, "subject1", ImmutableList.of(AclOperation.WRITE, AclOperation.READ));
        ((KsqlSchemaRegistryPermissionsValidator) Mockito.verify(this.srPermissionsValidator)).checkSubjectAccess(this.securityContext, "subject1", AclOperation.WRITE);
        ((KsqlSchemaRegistryPermissionsValidator) Mockito.verify(this.srPermissionsValidator)).checkSubjectAccess(this.securityContext, "subject1", AclOperation.READ);
        Mockito.verifyNoMoreInteractions(new Object[]{this.srPermissionsValidator});
        Mockito.verifyZeroInteractions(new Object[]{this.kafkaPermissionsValidator});
    }

    @Test
    public void shouldNotCallSchemaRegistryPermissionsValidatorIfNotPresent() {
        this.authorizationProvider = new KsqlAuthorizationProviderImpl(this.authorizationDecisionMaker, this.kafkaPermissionsValidator, Optional.empty());
        this.authorizationProvider.checkPrivileges(this.securityContext, AuthObjectType.SUBJECT, "subject1", ImmutableList.of(AclOperation.WRITE, AclOperation.READ));
        Mockito.verifyZeroInteractions(new Object[]{this.kafkaPermissionsValidator});
        Mockito.verifyZeroInteractions(new Object[]{this.srPermissionsValidator});
    }

    private void givenPermissionOnCluster(AuthorizeResult authorizeResult, Principal principal, Operation operation) {
        Mockito.when(this.authorizationDecisionMaker.checkAuthorization((Principal) Mockito.eq(principal), (String) Mockito.eq(KSQL_RESOURCE_TYPE), (String) Mockito.eq(""), (String) Mockito.eq(operation.name()))).thenReturn(authorizeResult);
    }
}
