package io.confluent.ksql.security.authorizer;

import com.google.common.collect.ImmutableMap;
import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.ksql.util.KsqlConfig;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.auth.client.provider.HttpBearerCredentialProvider;
import io.confluent.security.auth.client.provider.HttpCredentialProvider;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.hamcrest.core.StringContains;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.ArgumentMatcher;
import org.mockito.ArgumentMatchers;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.junit.MockitoJUnitRunner;

@RunWith(MockitoJUnitRunner.class)
/* loaded from: input_file:io/confluent/ksql/security/authorizer/MdsRestAuthorizationDecisionMakerTest.class */
public class MdsRestAuthorizationDecisionMakerTest {

    @Mock
    private RestAuthorizer restAuthorizer;

    @Mock
    private JwtPrincipal principalUser1;
    private MdsRestAuthorizationDecisionMaker decisionMaker;
    private static final ResourceType KSQL_RESOURCE_TYPE = new ResourceType("KsqlCluster");
    private static final String KSQL_RESOURCE_NAME = "ksql-cluster";
    private static final String KSQL_SERVICE_ID = "ksql-id";
    private static final String KAFKA_SERVICE_ID = "kafka-id";
    private static final Scope CLUSTER_SCOPE = new Scope.Builder(new String[0]).withCluster(KSQL_RESOURCE_NAME, KSQL_SERVICE_ID).withKafkaCluster(KAFKA_SERVICE_ID).build();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/ksql/security/authorizer/MdsRestAuthorizationDecisionMakerTest$BearerCredentialsMatcher.class */
    public class BearerCredentialsMatcher implements ArgumentMatcher<HttpBearerCredentialProvider> {
        private final HttpBearerCredentialProvider credentialProvider;

        public BearerCredentialsMatcher(HttpBearerCredentialProvider httpBearerCredentialProvider) {
            this.credentialProvider = httpBearerCredentialProvider;
        }

        public boolean matches(HttpBearerCredentialProvider httpBearerCredentialProvider) {
            return this.credentialProvider.getCredentials().equals(httpBearerCredentialProvider.getCredentials());
        }
    }

    @Before
    public void setup() {
        this.decisionMaker = new MdsRestAuthorizationDecisionMaker(() -> {
            return this.restAuthorizer;
        }, ksqlConfig -> {
            return KAFKA_SERVICE_ID;
        });
        this.decisionMaker.initialize(new KsqlConfig(ImmutableMap.of("ksql.service.id", KSQL_SERVICE_ID)));
        Mockito.when(this.principalUser1.getName()).thenReturn("user_1");
        Mockito.when(this.principalUser1.getJwt()).thenReturn("user_1_token");
    }

    @Test
    public void shouldThrowIllegalStateExceptionIfAuthorizerReturnsEmptyResults() {
        Mockito.when(this.restAuthorizer.authorize((HttpCredentialProvider) ArgumentMatchers.any(HttpCredentialProvider.class), (KafkaPrincipal) ArgumentMatchers.any(), (String) ArgumentMatchers.any(), (List) ArgumentMatchers.any())).thenReturn(Collections.emptyList());
        MatcherAssert.assertThat(((Exception) Assert.assertThrows(IllegalStateException.class, () -> {
            this.decisionMaker.checkAuthorization(this.principalUser1, KSQL_RESOURCE_TYPE.name(), KSQL_RESOURCE_NAME, "op");
        })).getMessage(), StringContains.containsString("MDS returned unexpected results. Expected 1, got 0"));
    }

    @Test
    public void shouldThrowIllegalStateExceptionIfAuthorizerReturnsMultipleResults() {
        Mockito.when(this.restAuthorizer.authorize((HttpCredentialProvider) ArgumentMatchers.any(HttpCredentialProvider.class), (KafkaPrincipal) ArgumentMatchers.any(), (String) ArgumentMatchers.any(), (List) ArgumentMatchers.any())).thenReturn(Arrays.asList(AuthorizeResult.ALLOWED, AuthorizeResult.DENIED));
        MatcherAssert.assertThat(((Exception) Assert.assertThrows(IllegalStateException.class, () -> {
            this.decisionMaker.checkAuthorization(this.principalUser1, KSQL_RESOURCE_TYPE.name(), KSQL_RESOURCE_NAME, "op");
        })).getMessage(), StringContains.containsString("MDS returned unexpected results. Expected 1, got 2"));
    }

    @Test
    public void shouldCallRestAuthorizerWithRequestedParameters() {
        givenPermissionOnCluster(AuthorizeResult.ALLOWED, this.principalUser1, new Operation("op"));
        MatcherAssert.assertThat(this.decisionMaker.checkAuthorization(this.principalUser1, KSQL_RESOURCE_TYPE.name(), "not-used", "op"), CoreMatchers.is(AuthorizeResult.ALLOWED));
    }

    private void givenPermissionOnCluster(AuthorizeResult authorizeResult, JwtPrincipal jwtPrincipal, Operation operation) {
        Mockito.when(this.restAuthorizer.authorize((HttpCredentialProvider) ArgumentMatchers.argThat(new BearerCredentialsMatcher(toBearerCredentials(jwtPrincipal))), (KafkaPrincipal) ArgumentMatchers.any(), (String) ArgumentMatchers.any(), (List) ArgumentMatchers.eq(Collections.singletonList(new Action(CLUSTER_SCOPE, KSQL_RESOURCE_TYPE, KSQL_RESOURCE_NAME, operation))))).thenReturn(Collections.singletonList(authorizeResult));
    }

    private static HttpBearerCredentialProvider toBearerCredentials(JwtPrincipal jwtPrincipal) {
        return new HttpBearerCredentialProvider(jwtPrincipal.getJwt());
    }
}
