package io.confluent.kafka.schemaregistry.security.authorizer.topicacl;

import io.confluent.common.security.auth.RestUserPrincipal;
import io.confluent.kafka.schemaregistry.client.rest.entities.Schema;
import io.confluent.kafka.schemaregistry.client.rest.entities.SchemaString;
import io.confluent.kafka.schemaregistry.exceptions.SchemaRegistryException;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizeRequest;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizerException;
import io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryResourceOperation;
import io.confluent.kafka.schemaregistry.security.config.SecureSchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Properties;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.MultivaluedHashMap;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.UriInfo;
import kafka.network.RequestChannel;
import kafka.security.auth.Operation;
import kafka.security.auth.Read$;
import kafka.security.auth.Resource;
import kafka.security.auth.SimpleAclAuthorizer;
import kafka.security.auth.Write$;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.InjectMocks;
import org.mockito.Matchers;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.MockitoAnnotations;
import org.mockito.internal.util.reflection.Whitebox;
import org.mockito.runners.MockitoJUnitRunner;

@RunWith(MockitoJUnitRunner.class)
/* loaded from: input_file:io/confluent/kafka/schemaregistry/security/authorizer/topicacl/SimpleTopicAclAuthorizerTest.class */
public class SimpleTopicAclAuthorizerTest {

    @Mock
    private ContainerRequestContext containerRequestContext;

    @Mock
    private UriInfo uriInfo;

    @Mock
    private SchemaRegistry schemaRegistry;

    @Mock
    private SimpleAclAuthorizer simpleAclAuthorizer;
    private MultivaluedMap multivaluedMap = new MultivaluedHashMap();

    @InjectMocks
    SimpleTopicAclAuthorizer simpleTopicAclAuthorizer;

    @Before
    public void setup() {
        Mockito.reset(new Object[]{this.containerRequestContext, this.uriInfo, this.schemaRegistry, this.simpleAclAuthorizer});
        this.simpleTopicAclAuthorizer = new SimpleTopicAclAuthorizer();
        MockitoAnnotations.initMocks(this);
        Mockito.when(this.containerRequestContext.getUriInfo()).thenReturn(this.uriInfo);
        Mockito.when(this.uriInfo.getPathParameters()).thenReturn(this.multivaluedMap);
    }

    @Test
    public void testGetAuthorizationSubjectForKey() {
        Assert.assertEquals("subject", this.simpleTopicAclAuthorizer.getAuthorizationSubject("subject-key"));
        Assert.assertEquals("keysubject", this.simpleTopicAclAuthorizer.getAuthorizationSubject("keysubject-key"));
    }

    @Test
    public void testGetAuthorizationSubjectForValue() {
        Assert.assertEquals("subject", this.simpleTopicAclAuthorizer.getAuthorizationSubject("subject-value"));
        Assert.assertEquals("valuesubject", this.simpleTopicAclAuthorizer.getAuthorizationSubject("valuesubject-value"));
    }

    @Test
    public void testAuthorizeGlobalOperationMultiUser() throws Exception {
        Properties properties = new Properties();
        properties.put("confluent.topic.acl.super.users", "user1;user2;user3");
        SecureSchemaRegistryConfig secureSchemaRegistryConfig = new SecureSchemaRegistryConfig(properties);
        Whitebox.setInternalState(this.simpleTopicAclAuthorizer, "simpleAclAuthorizer", this.simpleAclAuthorizer);
        this.simpleTopicAclAuthorizer.configure(secureSchemaRegistryConfig, this.schemaRegistry);
        assertGlobalOperationForUsers(true, "user1", "user2", "user3");
        assertGlobalOperationForUsers(false, "user4", "user5");
    }

    @Test
    public void testAuthorizeGlobalOperationSingleUser() throws Exception {
        Properties properties = new Properties();
        properties.put("confluent.topic.acl.super.users", "user1");
        SecureSchemaRegistryConfig secureSchemaRegistryConfig = new SecureSchemaRegistryConfig(properties);
        Whitebox.setInternalState(this.simpleTopicAclAuthorizer, "simpleAclAuthorizer", this.simpleAclAuthorizer);
        this.simpleTopicAclAuthorizer.configure(secureSchemaRegistryConfig, this.schemaRegistry);
        assertGlobalOperationForUsers(true, "user1");
        assertGlobalOperationForUsers(false, "user4", "user5");
    }

    @Test
    public void testAuthorizeGlobalOperationNoUser() throws Exception {
        SecureSchemaRegistryConfig secureSchemaRegistryConfig = new SecureSchemaRegistryConfig(new Properties());
        Whitebox.setInternalState(this.simpleTopicAclAuthorizer, "simpleAclAuthorizer", this.simpleAclAuthorizer);
        this.simpleTopicAclAuthorizer.configure(secureSchemaRegistryConfig, this.schemaRegistry);
        assertGlobalOperationForUsers(false, "", "user4", "user5");
    }

    @Test
    public void testGetClientAddress() throws UnknownHostException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        Mockito.when(httpServletRequest.getHeader("X-FORWARDED-FOR")).thenReturn("127.0.0.1");
        InetAddress clientAddress = this.simpleTopicAclAuthorizer.getClientAddress(httpServletRequest);
        Assert.assertNotNull(clientAddress);
        Assert.assertEquals("127.0.0.1", clientAddress.getHostAddress());
    }

    @Test
    public void testGetClientAddressForRemote() throws UnknownHostException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        Mockito.when(httpServletRequest.getRemoteAddr()).thenReturn("localhost");
        InetAddress clientAddress = this.simpleTopicAclAuthorizer.getClientAddress(httpServletRequest);
        Assert.assertNotNull(clientAddress);
        Assert.assertEquals("127.0.0.1", clientAddress.getHostAddress());
    }

    @Test
    public void testGetClientAddressForUnknownHost() {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        Mockito.when(httpServletRequest.getRemoteAddr()).thenReturn("host2");
        Assert.assertNull(this.simpleTopicAclAuthorizer.getClientAddress(httpServletRequest));
    }

    @Test
    public void testGetClientAddressNull() throws UnknownHostException {
        Assert.assertNull(this.simpleTopicAclAuthorizer.getClientAddress((HttpServletRequest) Mockito.mock(HttpServletRequest.class)));
    }

    @Test
    public void testSubjectAuthorization() throws AuthorizerException, SchemaRegistryException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        this.multivaluedMap.putSingle("id", "1");
        mockSchemaRegistry("subject-key");
        Iterator it = SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS.iterator();
        while (it.hasNext()) {
            SchemaRegistryResourceOperation schemaRegistryResourceOperation = (SchemaRegistryResourceOperation) it.next();
            AuthorizeRequest authorizeRequest = new AuthorizeRequest(new RestUserPrincipal("user1"), "subject-key", schemaRegistryResourceOperation, this.containerRequestContext, httpServletRequest);
            Mockito.reset(new SimpleAclAuthorizer[]{this.simpleAclAuthorizer});
            this.simpleTopicAclAuthorizer.authorize(authorizeRequest);
            assertSubjectAuthorization("user1", "subject", getOperation(schemaRegistryResourceOperation));
        }
    }

    @Test
    public void testSchemaIdLookupAuthorization() throws AuthorizerException, SchemaRegistryException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        this.multivaluedMap.putSingle("id", "1");
        mockSchemaRegistry("subject-key", "subject1-key");
        AuthorizeRequest authorizeRequest = new AuthorizeRequest(new RestUserPrincipal("user1"), (String) null, SchemaRegistryResourceOperation.SCHEMA_READ, this.containerRequestContext, httpServletRequest);
        this.simpleTopicAclAuthorizer.authorize(authorizeRequest);
        assertSubjectAuthorization("user1", "subject", Read$.MODULE$);
        assertSubjectAuthorization("user1", "subject1", Read$.MODULE$);
        Mockito.verifyNoMoreInteractions(new Object[]{this.simpleAclAuthorizer});
        Mockito.reset(new SimpleAclAuthorizer[]{this.simpleAclAuthorizer});
        Mockito.when(Boolean.valueOf(this.simpleAclAuthorizer.authorize((RequestChannel.Session) Matchers.any(RequestChannel.Session.class), (Operation) Matchers.eq(Read$.MODULE$), (Resource) Matchers.eq(Resource.fromString("Topic:subject"))))).thenReturn(true);
        this.simpleTopicAclAuthorizer.authorize(authorizeRequest);
        assertSubjectAuthorization("user1", "subject", Read$.MODULE$);
        Mockito.verifyNoMoreInteractions(new Object[]{this.simpleAclAuthorizer});
        Mockito.reset(new SimpleAclAuthorizer[]{this.simpleAclAuthorizer});
        Mockito.when(Boolean.valueOf(this.simpleAclAuthorizer.authorize((RequestChannel.Session) Matchers.any(RequestChannel.Session.class), (Operation) Matchers.eq(Read$.MODULE$), (Resource) Matchers.eq(Resource.fromString("Topic:subject1"))))).thenReturn(true);
        this.simpleTopicAclAuthorizer.authorize(authorizeRequest);
        assertSubjectAuthorization("user1", "subject", Read$.MODULE$);
        assertSubjectAuthorization("user1", "subject1", Read$.MODULE$);
        Mockito.verifyNoMoreInteractions(new Object[]{this.simpleAclAuthorizer});
    }

    private void assertGlobalOperationForUsers(boolean z, String... strArr) {
        for (String str : strArr) {
            Iterator it = SchemaRegistryResourceOperation.GLOBAL_RESOURCE_OPERATIONS.iterator();
            while (it.hasNext()) {
                Assert.assertEquals(Boolean.valueOf(z), Boolean.valueOf(this.simpleTopicAclAuthorizer.authorizeGlobalOperation(str, (SchemaRegistryResourceOperation) it.next(), (AuthorizeRequest) null)));
            }
        }
    }

    private Operation getOperation(SchemaRegistryResourceOperation schemaRegistryResourceOperation) {
        String lowerCase = schemaRegistryResourceOperation.name().toLowerCase();
        if (lowerCase.contains("read")) {
            return Read$.MODULE$;
        }
        if (lowerCase.contains("write") || lowerCase.contains("delete")) {
            return Write$.MODULE$;
        }
        return null;
    }

    private void assertSubjectAuthorization(String str, String str2, Operation operation) {
        ((SimpleAclAuthorizer) Mockito.verify(this.simpleAclAuthorizer)).authorize(new RequestChannel.Session(new KafkaPrincipal("User", str), (InetAddress) null), operation, Resource.fromString("Topic:" + str2));
    }

    private void mockSchemaRegistry(String... strArr) throws SchemaRegistryException {
        Mockito.when(this.schemaRegistry.get(Matchers.anyInt())).thenReturn(new SchemaString());
        Mockito.when(this.schemaRegistry.listSubjects()).thenReturn(new LinkedHashSet(Arrays.asList(strArr)));
        Mockito.when(this.schemaRegistry.lookUpSchemaUnderSubject(Matchers.anyString(), (Schema) Matchers.any(Schema.class), Matchers.eq(true))).thenReturn(Mockito.mock(Schema.class));
    }
}
