package io.confluent.rbacapi.test.integration.clearbox;

import io.confluent.common.utils.IntegrationTest;
import io.confluent.kafka.test.utils.KafkaTestUtils;
import io.confluent.kafka.test.utils.SecurityTestUtils;
import io.confluent.rbacapi.utils.HashLoginSetupHelper;
import io.confluent.rbacapi.utils.MdsConfigUtil;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.auth.client.provider.BuiltInAuthProviders;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.test.utils.RbacClusters;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.experimental.categories.Category;

@Category({IntegrationTest.class})
/* loaded from: input_file:io/confluent/rbacapi/test/integration/clearbox/HashLoginIntegrationTest.class */
public class HashLoginIntegrationTest {
    private static RbacClusters rbacClusters;
    private static final String CLIENT_USER = HashLoginSetupHelper.DEFAULT_HASH_USER;
    private static final String CLIENT_PASSWORD = HashLoginSetupHelper.DEFAULT_HASH_PASSWORD;
    private static final KafkaPrincipal clientPrincipal = new KafkaPrincipal("User", CLIENT_USER);

    @BeforeClass
    public static void setUp() throws Exception {
        RbacClusters.Config newDefaultHashLoginConfig = HashLoginSetupHelper.newDefaultHashLoginConfig();
        newDefaultHashLoginConfig.users("kafka", Collections.emptyList());
        rbacClusters = new RbacClusters(newDefaultHashLoginConfig);
        rbacClusters.assignRole("User", CLIENT_USER, "ResourceOwner", rbacClusters.kafkaClusterId(), Collections.singleton(new ResourcePattern("Topic", "TestTopic", PatternType.LITERAL)));
    }

    @AfterClass
    public static void tearDown() throws Exception {
        try {
            if (rbacClusters != null) {
                rbacClusters.shutdown();
            }
            SecurityTestUtils.clearSecurityConfigs();
            KafkaTestUtils.verifyThreadCleanup();
        } catch (Throwable th) {
            SecurityTestUtils.clearSecurityConfigs();
            KafkaTestUtils.verifyThreadCleanup();
            throw th;
        }
    }

    @Test
    public void testRestAuthorizer_HappyAuthentication() throws Exception {
        verifyRestAuthorizerAuthentication(CLIENT_PASSWORD);
    }

    @Test(expected = RuntimeException.class)
    public void testRestAuthorizer_InvalidAuthentication() throws Exception {
        verifyRestAuthorizerAuthentication("invalid");
    }

    private void verifyRestAuthorizerAuthentication(String str) throws Exception {
        RestAuthorizer createRestAuthorizer = createRestAuthorizer(str);
        Throwable th = null;
        try {
            try {
                List authorize = createRestAuthorizer.authorize(clientPrincipal, "", Arrays.asList(new Action(Scope.kafkaClusterScope(rbacClusters.kafkaClusterId()), new ResourceType("Topic"), "TestTopic", new Operation("Write")), new Action(Scope.kafkaClusterScope(rbacClusters.kafkaClusterId()), new ResourceType("Topic"), "SensitiveTopic", new Operation("Write"))));
                Assert.assertEquals(2L, authorize.size());
                Assert.assertEquals(AuthorizeResult.ALLOWED, authorize.get(0));
                Assert.assertEquals(AuthorizeResult.DENIED, authorize.get(1));
                if (createRestAuthorizer != null) {
                    if (0 == 0) {
                        createRestAuthorizer.close();
                        return;
                    }
                    try {
                        createRestAuthorizer.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (createRestAuthorizer != null) {
                if (th != null) {
                    try {
                        createRestAuthorizer.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    createRestAuthorizer.close();
                }
            }
            throw th4;
        }
    }

    private RestAuthorizer createRestAuthorizer(String str) throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("confluent.metadata.bootstrap.server.urls", MdsConfigUtil.DEFAULT_HTTP_ADVERTISED_LISTENER);
        hashMap.put("confluent.metadata.http.auth.credentials.provider", BuiltInAuthProviders.HttpCredentialProviders.BASIC.name());
        hashMap.put("confluent.metadata.basic.auth.user.info", String.format("%s:%s", CLIENT_USER, str));
        hashMap.put("confluent.metadata.basic.auth.credentials.provider", BuiltInAuthProviders.BasicAuthCredentialProviders.USER_INFO.name());
        RestAuthorizer restAuthorizer = new RestAuthorizer();
        restAuthorizer.configure(hashMap);
        return restAuthorizer;
    }
}
