package io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl;

import io.confluent.common.security.auth.RestUserPrincipal;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizeRequest;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizerException;
import io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryResourceOperation;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import java.util.Arrays;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.MultivaluedHashMap;
import javax.ws.rs.core.MultivaluedMap;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.MockitoAnnotations;
import org.mockito.junit.MockitoJUnitRunner;

@RunWith(MockitoJUnitRunner.class)
/* loaded from: input_file:io/confluent/kafka/schemaregistry/security/authorizer/schemaregistryacl/SchemaRegistryAclAuthorizerTest.class */
public class SchemaRegistryAclAuthorizerTest {

    @Mock
    private ContainerRequestContext containerRequestContext;

    @Mock
    private SchemaRegistry schemaRegistry;
    private MultivaluedMap multivaluedMap = new MultivaluedHashMap();
    private Map<String, Map<String, Set<SchemaRegistryResourceOperation>>> subjectAllowedOperations;
    private Map<String, Set<SchemaRegistryResourceOperation>> globalAllowedOperations;

    @InjectMocks
    SchemaRegistryAclAuthorizer schemaRegistryAclAuthorizer;

    @Before
    public void setup() {
        this.schemaRegistryAclAuthorizer = new SchemaRegistryAclAuthorizer();
        this.multivaluedMap.clear();
        this.subjectAllowedOperations = new ConcurrentHashMap();
        this.globalAllowedOperations = new ConcurrentHashMap();
        this.schemaRegistryAclAuthorizer.configureAllowedOperations(this.subjectAllowedOperations, this.globalAllowedOperations);
        MockitoAnnotations.initMocks(this);
    }

    @Test
    public void testSubjectAuthorize() throws AuthorizerException {
        addSubjectAcl("user1", "subject1", SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS);
        this.multivaluedMap.add("id", "1");
        Iterator it = SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS.iterator();
        while (it.hasNext()) {
            assertAllowAcl("user1", "subject1", (SchemaRegistryResourceOperation) it.next());
        }
    }

    @Test
    public void testSubjectWithWildcardAuthorize() throws AuthorizerException {
        addSubjectAcl("user1", "subject*key", SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS);
        Iterator it = SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS.iterator();
        while (it.hasNext()) {
            assertAllowAcl("user1", "subject1somethingkey", (SchemaRegistryResourceOperation) it.next());
        }
        this.subjectAllowedOperations.clear();
        addSubjectAcl("user1", "subject*key", SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS);
        Iterator it2 = SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS.iterator();
        while (it2.hasNext()) {
            assertAllowAcl("user1", "subject1somethingkey", (SchemaRegistryResourceOperation) it2.next());
        }
    }

    @Test
    public void testSubjectWithWildcardAndSpecialCharsInTopicNameAuthorize() throws AuthorizerException {
        addSubjectAcl("user1", "subject*.something.*", SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS);
        Iterator it = SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS.iterator();
        while (it.hasNext()) {
            assertAllowAcl("user1", "subject1.something.else", (SchemaRegistryResourceOperation) it.next());
        }
        this.subjectAllowedOperations.clear();
        addSubjectAcl("user1", "subject*_some*_else*", SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS);
        Iterator it2 = SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS.iterator();
        while (it2.hasNext()) {
            assertAllowAcl("user1", "subject1_something_else", (SchemaRegistryResourceOperation) it2.next());
        }
        this.subjectAllowedOperations.clear();
        addSubjectAcl("user1", "subject*-some*-else*", SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS);
        Iterator it3 = SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS.iterator();
        while (it3.hasNext()) {
            assertAllowAcl("user1", "subject1-something-else", (SchemaRegistryResourceOperation) it3.next());
        }
    }

    @Test
    public void testSubjectAuthorizeWithAllowAllAcl() throws AuthorizerException {
        addSubjectAcl("*", "*", SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS);
        this.multivaluedMap.add("id", "1");
        Iterator it = SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS.iterator();
        while (it.hasNext()) {
            assertAllowAcl("user1", "subject1", (SchemaRegistryResourceOperation) it.next());
        }
        this.subjectAllowedOperations.clear();
        addSubjectAcl("user1", "*", SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS);
        Iterator it2 = SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS.iterator();
        while (it2.hasNext()) {
            SchemaRegistryResourceOperation schemaRegistryResourceOperation = (SchemaRegistryResourceOperation) it2.next();
            assertAllowAcl("user1", "subject1", schemaRegistryResourceOperation);
            assertAllowAcl("user1", "subject2", schemaRegistryResourceOperation);
            assertDenyAcl("user2", "subject1", schemaRegistryResourceOperation);
        }
        this.subjectAllowedOperations.clear();
        addSubjectAcl("*", "subject1", SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS);
        Iterator it3 = SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS.iterator();
        while (it3.hasNext()) {
            SchemaRegistryResourceOperation schemaRegistryResourceOperation2 = (SchemaRegistryResourceOperation) it3.next();
            assertAllowAcl("user1", "subject1", schemaRegistryResourceOperation2);
            assertAllowAcl("user2", "subject1", schemaRegistryResourceOperation2);
            assertDenyAcl("user1", "subject2", schemaRegistryResourceOperation2);
        }
    }

    @Test
    public void testSubjectAuthorizeForDenyOperations() throws AuthorizerException {
        this.multivaluedMap.add("id", "1");
        addSubjectAclAndAssert("user1", "subject1", SchemaRegistryResourceOperation.SUBJECT_READ);
    }

    @Test
    public void testSubjectAuthorizeForDenyUser() throws AuthorizerException {
        addSubjectAcl("user1", "subject1", SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS);
        this.multivaluedMap.add("id", "1");
        Iterator it = SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS.iterator();
        while (it.hasNext()) {
            assertDenyAcl("user2", "subject1", (SchemaRegistryResourceOperation) it.next());
        }
        addSubjectAclAndAssert("user2", "subject1", SchemaRegistryResourceOperation.SUBJECT_READ);
    }

    @Test
    public void testContextAuthorize() throws AuthorizerException {
        String str = ":.ctx1:subject1";
        addSubjectAcl("user1", ":.ctx1:", SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS);
        this.multivaluedMap.add("id", "1");
        Iterator it = SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS.iterator();
        while (it.hasNext()) {
            assertAllowAcl("user1", str, (SchemaRegistryResourceOperation) it.next());
        }
    }

    @Test
    public void testGlobalAuthorize() throws AuthorizerException {
        addGlobalAcl("user1", SchemaRegistryResourceOperation.GLOBAL_RESOURCE_OPERATIONS);
        Iterator it = SchemaRegistryResourceOperation.GLOBAL_RESOURCE_OPERATIONS.iterator();
        while (it.hasNext()) {
            assertAllowAcl("user1", null, (SchemaRegistryResourceOperation) it.next());
        }
    }

    @Test
    public void testGlobalAuthorizeForDenyOperations() throws AuthorizerException {
        addGlobalAclAndAssert("user1", SchemaRegistryResourceOperation.GLOBAL_COMPATIBILITY_READ);
    }

    @Test
    public void testGlobalAuthorizeWithAllowAllAcl() throws AuthorizerException {
        addGlobalAcl("*", SchemaRegistryResourceOperation.GLOBAL_RESOURCE_OPERATIONS);
        Iterator it = SchemaRegistryResourceOperation.GLOBAL_RESOURCE_OPERATIONS.iterator();
        while (it.hasNext()) {
            SchemaRegistryResourceOperation schemaRegistryResourceOperation = (SchemaRegistryResourceOperation) it.next();
            assertAllowAcl("user1", null, schemaRegistryResourceOperation);
            assertAllowAcl("user2", null, schemaRegistryResourceOperation);
        }
        this.globalAllowedOperations.clear();
        HashSet hashSet = new HashSet(Arrays.asList(SchemaRegistryResourceOperation.GLOBAL_COMPATIBILITY_READ));
        addGlobalAcl("*", hashSet);
        for (SchemaRegistryResourceOperation schemaRegistryResourceOperation2 : hashSet) {
            assertAllowAcl("user1", null, schemaRegistryResourceOperation2);
            assertAllowAcl("user2", null, schemaRegistryResourceOperation2);
        }
        for (SchemaRegistryResourceOperation schemaRegistryResourceOperation3 : getDenyOperations(hashSet, SchemaRegistryResourceOperation.GLOBAL_RESOURCE_OPERATIONS)) {
            assertDenyAcl("user1", null, schemaRegistryResourceOperation3);
            assertDenyAcl("user2", null, schemaRegistryResourceOperation3);
        }
    }

    private void addSubjectAclAndAssert(String str, String str2, SchemaRegistryResourceOperation... schemaRegistryResourceOperationArr) throws AuthorizerException {
        HashSet hashSet = new HashSet(Arrays.asList(schemaRegistryResourceOperationArr));
        addSubjectAcl(str, str2, hashSet);
        Iterator<SchemaRegistryResourceOperation> it = hashSet.iterator();
        while (it.hasNext()) {
            assertAllowAcl(str, str2, it.next());
        }
        Iterator<SchemaRegistryResourceOperation> it2 = getDenyOperations(hashSet, SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS).iterator();
        while (it2.hasNext()) {
            assertDenyAcl(str, str2, it2.next());
        }
    }

    private HashSet<SchemaRegistryResourceOperation> getDenyOperations(Set<SchemaRegistryResourceOperation> set, EnumSet<SchemaRegistryResourceOperation> enumSet) {
        HashSet<SchemaRegistryResourceOperation> hashSet = new HashSet<>(enumSet);
        hashSet.removeAll(set);
        return hashSet;
    }

    private void assertAllowAcl(String str, String str2, SchemaRegistryResourceOperation schemaRegistryResourceOperation) throws AuthorizerException {
        Assert.assertTrue("Should be authorized for " + schemaRegistryResourceOperation, this.schemaRegistryAclAuthorizer.authorize(new AuthorizeRequest(new RestUserPrincipal(str), str2, schemaRegistryResourceOperation, this.containerRequestContext, (HttpServletRequest) null)));
    }

    private void assertDenyAcl(String str, String str2, SchemaRegistryResourceOperation schemaRegistryResourceOperation) throws AuthorizerException {
        Assert.assertFalse("Shouldn't be authorized for " + schemaRegistryResourceOperation, this.schemaRegistryAclAuthorizer.authorize(new AuthorizeRequest(new RestUserPrincipal(str), str2, schemaRegistryResourceOperation, this.containerRequestContext, (HttpServletRequest) null)));
    }

    private void addSubjectAcl(String str, String str2, Set<SchemaRegistryResourceOperation> set) {
        if (this.subjectAllowedOperations.get(str) == null) {
            this.subjectAllowedOperations.put(str, new ConcurrentHashMap());
        }
        this.subjectAllowedOperations.get(str).put(str2, set);
    }

    private void addGlobalAcl(String str, Set<SchemaRegistryResourceOperation> set) {
        this.globalAllowedOperations.put(str, set);
    }

    private void addGlobalAclAndAssert(String str, SchemaRegistryResourceOperation... schemaRegistryResourceOperationArr) throws AuthorizerException {
        HashSet hashSet = new HashSet(Arrays.asList(schemaRegistryResourceOperationArr));
        addGlobalAcl(str, hashSet);
        Iterator<SchemaRegistryResourceOperation> it = hashSet.iterator();
        while (it.hasNext()) {
            assertAllowAcl(str, null, it.next());
        }
        Iterator<SchemaRegistryResourceOperation> it2 = getDenyOperations(hashSet, SchemaRegistryResourceOperation.GLOBAL_RESOURCE_OPERATIONS).iterator();
        while (it2.hasNext()) {
            assertDenyAcl(str, null, it2.next());
        }
    }
}
