package io.confluent.kafka.schemaregistry.security.authorizer.rbac;

import io.confluent.kafka.schemaregistry.client.rest.entities.Schema;
import io.confluent.kafka.schemaregistry.client.rest.entities.SchemaString;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizeRequest;
import io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryResourceOperation;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Scope;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.MultivaluedHashMap;
import javax.ws.rs.core.UriInfo;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.ArgumentCaptor;
import org.mockito.Captor;
import org.mockito.Matchers;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.invocation.InvocationOnMock;
import org.mockito.runners.MockitoJUnitRunner;
import org.mockito.stubbing.Answer;

@RunWith(MockitoJUnitRunner.class)
/* loaded from: input_file:io/confluent/kafka/schemaregistry/security/authorizer/rbac/RbacAuthorizerTest.class */
public class RbacAuthorizerTest {
    protected static final Scope DUMMY_SCOPE = new Scope.Builder(new String[0]).withKafkaCluster("kafka6").withCluster("schema-registry-cluster", "schema-registry9").build();
    protected static final Principal DUMMY_USER = new KafkaPrincipal("User", "Jim Egerton");
    protected static final String DUMMY_SUBJECT = "Physical Education";
    protected RbacAuthorizer rbacAuthorizer;
    protected SchemaRegistryActions schemaRegistryActions;

    @Mock
    protected RestAuthorizer restAuthorizer;

    @Mock
    protected SchemaRegistry schemaRegistry;

    @Captor
    protected ArgumentCaptor<List<Action>> actionsCaptor;

    @Before
    public void setup() throws Exception {
        this.schemaRegistryActions = new SchemaRegistryActions(DUMMY_SCOPE);
        this.rbacAuthorizer = new RbacAuthorizer(this.schemaRegistry, this.restAuthorizer, this.schemaRegistryActions);
    }

    @Test
    public void testSubjectRead() throws Exception {
        testAuthorizedAndDeniedRequest(subjectAuthorizeRequest(SchemaRegistryResourceOperation.SUBJECT_READ), new Action(DUMMY_SCOPE, SchemaRegistryOperations.SUBJECT_RESOURCE, DUMMY_SUBJECT, SchemaRegistryOperations.READ));
    }

    @Test
    public void testSubjectWrite() throws Exception {
        testAuthorizedAndDeniedRequest(subjectAuthorizeRequest(SchemaRegistryResourceOperation.SUBJECT_WRITE), new Action(DUMMY_SCOPE, SchemaRegistryOperations.SUBJECT_RESOURCE, DUMMY_SUBJECT, SchemaRegistryOperations.WRITE));
    }

    @Test
    public void testSubjectDelete() throws Exception {
        testAuthorizedAndDeniedRequest(subjectAuthorizeRequest(SchemaRegistryResourceOperation.SUBJECT_DELETE), new Action(DUMMY_SCOPE, SchemaRegistryOperations.SUBJECT_RESOURCE, DUMMY_SUBJECT, SchemaRegistryOperations.DELETE));
    }

    @Test
    public void testSubjectCompatibilityRead() throws Exception {
        testAuthorizedAndDeniedRequest(subjectAuthorizeRequest(SchemaRegistryResourceOperation.SUBJECT_COMPATIBILITY_READ), new Action(DUMMY_SCOPE, SchemaRegistryOperations.SUBJECT_RESOURCE, DUMMY_SUBJECT, SchemaRegistryOperations.READ_COMPATIBILITY));
    }

    @Test
    public void testSubjectCompatibilityWrite() throws Exception {
        testAuthorizedAndDeniedRequest(subjectAuthorizeRequest(SchemaRegistryResourceOperation.SUBJECT_COMPATIBILITY_WRITE), new Action(DUMMY_SCOPE, SchemaRegistryOperations.SUBJECT_RESOURCE, DUMMY_SUBJECT, SchemaRegistryOperations.WRITE_COMPATIBILITY));
    }

    @Test
    public void testSubjectsList() {
        Assert.assertTrue(this.rbacAuthorizer.authorizeGlobalOperation(DUMMY_USER.getName(), SchemaRegistryResourceOperation.GLOBAL_SUBJECTS_READ, globalAuthorizeRequest(SchemaRegistryResourceOperation.GLOBAL_SUBJECTS_READ)));
    }

    @Test
    public void testGlobalCompatibilityRead() throws Exception {
        testAuthorizedAndDeniedRequest(globalAuthorizeRequest(SchemaRegistryResourceOperation.GLOBAL_COMPATIBILITY_READ), new Action(DUMMY_SCOPE, SchemaRegistryOperations.SUBJECT_RESOURCE, "__GLOBAL", SchemaRegistryOperations.READ_COMPATIBILITY));
    }

    @Test
    public void testGlobalCompatibilityWrite() throws Exception {
        testAuthorizedAndDeniedRequest(globalAuthorizeRequest(SchemaRegistryResourceOperation.GLOBAL_COMPATIBILITY_WRITE), new Action(DUMMY_SCOPE, SchemaRegistryOperations.SUBJECT_RESOURCE, "__GLOBAL", SchemaRegistryOperations.WRITE_COMPATIBILITY));
    }

    @Test
    public void testSchemaLookupById() throws Exception {
        testSchemaLookupById(true);
        testSchemaLookupById(false);
    }

    protected void testSchemaLookupById(boolean z) throws Exception {
        final SchemaString schemaString = new SchemaString("string");
        final Set unmodifiableSet = Collections.unmodifiableSet(new HashSet(Arrays.asList("s1", "s2", "s3", "s4", "s5")));
        final Set unmodifiableSet2 = z ? Collections.unmodifiableSet(new HashSet(Arrays.asList("s2", "s5"))) : Collections.emptySet();
        MultivaluedHashMap multivaluedHashMap = new MultivaluedHashMap();
        multivaluedHashMap.putSingle("id", Integer.toString(420));
        UriInfo uriInfo = (UriInfo) Mockito.mock(UriInfo.class);
        Mockito.when(uriInfo.getPathParameters()).thenReturn(multivaluedHashMap);
        ContainerRequestContext containerRequestContext = (ContainerRequestContext) Mockito.mock(ContainerRequestContext.class);
        Mockito.when(containerRequestContext.getUriInfo()).thenReturn(uriInfo);
        AuthorizeRequest authorizeRequest = new AuthorizeRequest(DUMMY_USER, "", SchemaRegistryResourceOperation.SCHEMA_READ, containerRequestContext, (HttpServletRequest) null);
        Mockito.when(this.schemaRegistry.get(Matchers.eq(420))).thenReturn(schemaString);
        Mockito.when(this.schemaRegistry.listSubjects()).thenReturn(unmodifiableSet);
        final ArgumentCaptor forClass = ArgumentCaptor.forClass(String.class);
        Mockito.when(this.schemaRegistry.lookUpSchemaUnderSubject((String) forClass.capture(), (Schema) Matchers.any(Schema.class), Matchers.anyBoolean())).then(new Answer<Schema>() { // from class: io.confluent.kafka.schemaregistry.security.authorizer.rbac.RbacAuthorizerTest.1
            /* renamed from: answer, reason: merged with bridge method [inline-methods] */
            public Schema m2answer(InvocationOnMock invocationOnMock) {
                return new Schema((String) forClass.getValue(), 0, 420, schemaString.getSchemaString());
            }
        });
        Mockito.when(this.restAuthorizer.authorize((KafkaPrincipal) Matchers.eq(RbacAuthorizer.kafkaPrincipalFor(DUMMY_USER.getName())), (String) Matchers.eq((Object) null), (List) this.actionsCaptor.capture())).then(new Answer<List<AuthorizeResult>>() { // from class: io.confluent.kafka.schemaregistry.security.authorizer.rbac.RbacAuthorizerTest.2
            /* renamed from: answer, reason: merged with bridge method [inline-methods] */
            public List<AuthorizeResult> m3answer(InvocationOnMock invocationOnMock) {
                ArrayList arrayList = new ArrayList();
                for (Action action : (List) RbacAuthorizerTest.this.actionsCaptor.getValue()) {
                    Assert.assertEquals(RbacAuthorizerTest.DUMMY_SCOPE, action.scope());
                    Assert.assertEquals(SchemaRegistryOperations.SUBJECT_RESOURCE, action.resourceType());
                    Assert.assertEquals(SchemaRegistryOperations.READ, action.operation());
                    String resourceName = action.resourceName();
                    Assert.assertTrue(unmodifiableSet.contains(resourceName));
                    arrayList.add(unmodifiableSet2.contains(resourceName) ? AuthorizeResult.ALLOWED : AuthorizeResult.DENIED);
                }
                return arrayList;
            }
        });
        Assert.assertEquals(Boolean.valueOf(z), Boolean.valueOf(this.rbacAuthorizer.authorize(authorizeRequest)));
    }

    protected void testAuthorizedAndDeniedRequest(AuthorizeRequest authorizeRequest, Action action) throws Exception {
        testAuthorizedRequest(authorizeRequest, action);
        testDeniedRequest(authorizeRequest, action);
    }

    protected void testAuthorizedRequest(AuthorizeRequest authorizeRequest, Action action) throws Exception {
        testRequest(authorizeRequest, action, true);
    }

    protected void testDeniedRequest(AuthorizeRequest authorizeRequest, Action action) throws Exception {
        testRequest(authorizeRequest, action, false);
    }

    private void testRequest(AuthorizeRequest authorizeRequest, Action action, boolean z) throws Exception {
        KafkaPrincipal kafkaPrincipalFor = RbacAuthorizer.kafkaPrincipalFor(DUMMY_USER.getName());
        Mockito.when(this.restAuthorizer.authorize((KafkaPrincipal) Matchers.eq(kafkaPrincipalFor), (String) Matchers.eq((Object) null), (List) Matchers.eq(Collections.singletonList(action)))).thenReturn(Collections.singletonList(z ? AuthorizeResult.ALLOWED : AuthorizeResult.DENIED));
        Assert.assertEquals(Boolean.valueOf(z), Boolean.valueOf(this.rbacAuthorizer.authorize(authorizeRequest)));
        ((RestAuthorizer) Mockito.verify(this.restAuthorizer)).authorize((KafkaPrincipal) Matchers.eq(kafkaPrincipalFor), (String) Matchers.eq((Object) null), (List) Matchers.eq(Collections.singletonList(action)));
        Mockito.verifyNoMoreInteractions(new Object[]{this.restAuthorizer});
        Mockito.reset(new RestAuthorizer[]{this.restAuthorizer});
    }

    protected static AuthorizeRequest subjectAuthorizeRequest(SchemaRegistryResourceOperation schemaRegistryResourceOperation) {
        return new AuthorizeRequest(DUMMY_USER, DUMMY_SUBJECT, schemaRegistryResourceOperation, (ContainerRequestContext) null, (HttpServletRequest) null);
    }

    protected static AuthorizeRequest globalAuthorizeRequest(SchemaRegistryResourceOperation schemaRegistryResourceOperation) {
        return new AuthorizeRequest(DUMMY_USER, (String) null, schemaRegistryResourceOperation, (ContainerRequestContext) null, (HttpServletRequest) null);
    }
}
