package io.confluent.ksql.security.authorizer;

import com.google.common.collect.ImmutableMap;
import io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException;
import io.confluent.ksql.exception.KsqlSchemaAuthorizationException;
import io.confluent.ksql.security.KsqlSecurityContext;
import io.confluent.ksql.security.clients.KsqlSchemaRegistryPermissionsClient;
import io.confluent.ksql.services.ServiceContext;
import io.confluent.ksql.util.KsqlConfig;
import io.confluent.ksql.util.KsqlException;
import java.io.IOException;
import java.util.Arrays;
import java.util.Optional;
import org.apache.kafka.common.acl.AclOperation;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.junit.MockitoJUnitRunner;

@RunWith(MockitoJUnitRunner.class)
/* loaded from: input_file:io/confluent/ksql/security/authorizer/KsqlSchemaRegistryPermissionsValidatorTest.class */
public class KsqlSchemaRegistryPermissionsValidatorTest {

    @Mock
    private KsqlSchemaRegistryPermissionsClient srPermissionsClient;

    @Mock
    private KsqlConfig ksqlConfig;
    private KsqlSecurityContext securityContext;
    private KsqlSchemaRegistryPermissionsValidator srValidator;

    @Before
    public void setup() {
        this.securityContext = new KsqlSecurityContext(Optional.empty(), (ServiceContext) null);
        this.srValidator = new KsqlSchemaRegistryPermissionsValidator(this.ksqlConfig, (ksqlConfig, map) -> {
            return this.srPermissionsClient;
        });
    }

    @Test
    public void shouldCheckSchemaRegistryDisableIfSchemaRegistryURLIsNullOrEmpty() {
        MatcherAssert.assertThat(Boolean.valueOf(KsqlSchemaRegistryPermissionsValidator.isSchemaRegistryPermissionsEnabled(new KsqlConfig(ImmutableMap.of()))), CoreMatchers.is(false));
        MatcherAssert.assertThat(Boolean.valueOf(KsqlSchemaRegistryPermissionsValidator.isSchemaRegistryPermissionsEnabled(new KsqlConfig(ImmutableMap.of("ksql.schema.registry.url", "")))), CoreMatchers.is(false));
        MatcherAssert.assertThat(Boolean.valueOf(KsqlSchemaRegistryPermissionsValidator.isSchemaRegistryPermissionsEnabled(new KsqlConfig(ImmutableMap.of("ksql.schema.registry.url", "       ")))), CoreMatchers.is(false));
    }

    @Test
    public void shouldCheckSchemaRegistryEnabled() throws RestClientException, IOException {
        Mockito.when(this.srPermissionsClient.permissions()).thenReturn(ImmutableMap.of());
        MatcherAssert.assertThat(Boolean.valueOf(KsqlSchemaRegistryPermissionsValidator.isSchemaRegistryPermissionsEnabled(new KsqlConfig(ImmutableMap.of("ksql.schema.registry.url", "url")), (ksqlConfig, map) -> {
            return this.srPermissionsClient;
        })), CoreMatchers.is(true));
    }

    @Test
    public void shouldReturnSchemaRegistryDisabledIfPermissionsEndPointNotFound() throws RestClientException, IOException {
        Mockito.when(this.srPermissionsClient.permissions()).thenThrow(new Throwable[]{new RestClientException("", 404, 40401)});
        MatcherAssert.assertThat(Boolean.valueOf(KsqlSchemaRegistryPermissionsValidator.isSchemaRegistryPermissionsEnabled(new KsqlConfig(ImmutableMap.of("ksql.schema.registry.url", "url")), (ksqlConfig, map) -> {
            return this.srPermissionsClient;
        })), CoreMatchers.is(false));
    }

    @Test
    public void shouldThrowIfCannotConnectToSchemaRegistry() throws RestClientException, IOException {
        Mockito.when(this.srPermissionsClient.permissions()).thenThrow(new Throwable[]{new RestClientException("", 403, 40301)});
        Assert.assertThrows(KsqlException.class, () -> {
            KsqlSchemaRegistryPermissionsValidator.isSchemaRegistryPermissionsEnabled(new KsqlConfig(ImmutableMap.of("ksql.schema.registry.url", "url")), (ksqlConfig, map) -> {
                return this.srPermissionsClient;
            });
        });
    }

    @Test
    public void shouldCheckAllowedSubjectAccess() throws RestClientException, IOException {
        Mockito.when(this.srPermissionsClient.permissions("subject-1")).thenReturn(Arrays.asList("Read", "Write"));
        this.srValidator.checkSubjectAccess(this.securityContext, "subject-1", AclOperation.READ);
    }

    @Test
    public void shouldThrowOnDeniedSubjectAccess() throws RestClientException, IOException {
        Mockito.when(this.srPermissionsClient.permissions("subject-1")).thenReturn(Arrays.asList("Read", "Write"));
        Assert.assertThrows(KsqlSchemaAuthorizationException.class, () -> {
            this.srValidator.checkSubjectAccess(this.securityContext, "subject-1", AclOperation.CREATE);
        });
    }

    @Test
    public void shouldThrowOnAnyErrorWhenCheckingSubjectAccess() throws RestClientException, IOException {
        Mockito.when(this.srPermissionsClient.permissions("subject-1")).thenThrow(new Throwable[]{new IOException("error")});
        Assert.assertThrows(KsqlException.class, () -> {
            this.srValidator.checkSubjectAccess(this.securityContext, "subject-1", AclOperation.CREATE);
        });
    }
}
