package integration.rbacapi.configuration;

import io.confluent.common.utils.IntegrationTest;
import io.confluent.kafka.test.utils.KafkaTestUtils;
import io.confluent.kafka.test.utils.SecurityTestUtils;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.auth.client.provider.BuiltInAuthProviders;
import io.confluent.security.auth.client.rest.exceptions.RestClientException;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.testing.ldap.client.ExampleComLdapCrud;
import io.confluent.testing.ldap.client.LdapCrud;
import io.confluent.testing.ldap.server.LdapServer;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import javax.xml.bind.DatatypeConverter;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import utils.KafkaConfigSetupHelper;
import utils.MdsConfigUtil;
import utils.TestStabilityUtil;

@Category({IntegrationTest.class})
/* loaded from: input_file:integration/rbacapi/configuration/LdapLoginIntegrationTest.class */
public class LdapLoginIntegrationTest {
    private static final String BROKER_USER = "kafka";
    private static final LdapCrud ldapCrud = new ExampleComLdapCrud();
    private static LdapServer ldapServer;
    private RbacClusters rbacClusters;

    @BeforeClass
    public static void setupClass() throws Exception {
        ldapServer = LdapServer.defaultServerNoUsers().start();
    }

    @AfterClass
    public static void teardownClass() {
        ldapServer.stop();
    }

    @After
    public void tearDown() {
        try {
            if (this.rbacClusters != null) {
                this.rbacClusters.shutdown();
            }
            SecurityTestUtils.clearSecurityConfigs();
            KafkaTestUtils.verifyThreadCleanup();
        } catch (Throwable th) {
            SecurityTestUtils.clearSecurityConfigs();
            KafkaTestUtils.verifyThreadCleanup();
            throw th;
        }
    }

    @Test
    public void testLdapAuthenticationUsingBind() throws Exception {
        this.rbacClusters = new RbacClusters(KafkaConfigSetupHelper.justLDAP(BROKER_USER));
        String str = "testUser-" + TestStabilityUtil.getUniqueInteger();
        String str2 = str + "-password";
        ldapCrud.createUser(str, str2);
        this.rbacClusters.assignRole("User", str, "ResourceOwner", this.rbacClusters.kafkaClusterId(), Collections.singleton(new ResourcePattern("Topic", "TestTopic", PatternType.LITERAL)));
        verifyClientAuthentication(str, str2);
        verifyBadPasswordFailure(str, "invalid", "with an invalid password");
        verifyBadPasswordFailure(str, "", "with an empty string password");
        String str3 = "testUser-" + TestStabilityUtil.getUniqueInteger();
        String str4 = str3 + "-password";
        ldapCrud.createUser(str3, encryptLdapPassword(str4));
        this.rbacClusters.assignRole("User", str3, "ResourceOwner", this.rbacClusters.kafkaClusterId(), Collections.singleton(new ResourcePattern("Topic", "TestTopic", PatternType.LITERAL)));
        verifyClientAuthentication(str3, str4);
        verifyBadPasswordFailure(str3, "invalid", "with an invalid password");
        verifyBadPasswordFailure(str3, "", "with an empty string password");
    }

    @Test
    public void testLdapAuthenticationUsingPasswordSearch() throws Exception {
        this.rbacClusters = new RbacClusters(KafkaConfigSetupHelper.justLDAP(BROKER_USER).overrideMetadataBrokerConfig("ldap.user.password.attribute", "userPassword"));
        String str = "testUser-" + TestStabilityUtil.getUniqueInteger();
        String str2 = str + "-password";
        ldapCrud.createUser(str, str2);
        this.rbacClusters.assignRole("User", str, "ResourceOwner", this.rbacClusters.kafkaClusterId(), Collections.singleton(new ResourcePattern("Topic", "TestTopic", PatternType.LITERAL)));
        verifyClientAuthentication(str, str2);
        verifyBadPasswordFailure(str, "invalid", "with an invalid password");
        verifyBadPasswordFailure(str, "", "with an empty string password");
        String str3 = "testUser-" + TestStabilityUtil.getUniqueInteger();
        String str4 = str3 + "-password";
        ldapCrud.createUser(str3, encryptLdapPassword(str4));
        this.rbacClusters.assignRole("User", str3, "ResourceOwner", this.rbacClusters.kafkaClusterId(), Collections.singleton(new ResourcePattern("Topic", "TestTopic", PatternType.LITERAL)));
        verifyClientAuthentication(str3, str4);
        verifyBadPasswordFailure(str3, "invalid", "with an invalid password");
        verifyBadPasswordFailure(str3, "", "with an empty string password");
    }

    private void verifyClientAuthentication(String str, String str2) throws Exception {
        RestAuthorizer createClient = createClient(str, str2);
        Throwable th = null;
        try {
            List authorize = createClient.authorize(new KafkaPrincipal("User", str), "", Arrays.asList(new Action(Scope.kafkaClusterScope(this.rbacClusters.kafkaClusterId()), new ResourceType("Topic"), "TestTopic", new Operation("Write")), new Action(Scope.kafkaClusterScope(this.rbacClusters.kafkaClusterId()), new ResourceType("Topic"), "SensitiveTopic", new Operation("Write"))));
            Assert.assertEquals(2L, authorize.size());
            Assert.assertEquals(AuthorizeResult.ALLOWED, authorize.get(0));
            Assert.assertEquals(AuthorizeResult.DENIED, authorize.get(1));
            if (createClient != null) {
                if (0 == 0) {
                    createClient.close();
                    return;
                }
                try {
                    createClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (createClient != null) {
                if (0 != 0) {
                    try {
                        createClient.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    createClient.close();
                }
            }
            throw th3;
        }
    }

    private static void verifyBadPasswordFailure(String str, String str2, String str3) {
        try {
            createClient(str, str2);
            Assert.fail("Should not have been able to create a RestAuthorizer with : " + str3);
        } catch (RuntimeException e) {
            Assert.assertTrue(e.getCause() instanceof RestClientException);
            Assert.assertEquals(401L, r0.errorCode());
        } catch (Exception e2) {
            Assert.fail("Unexpected exception thrown from RestAuthorizer of type:" + e2.getClass().getSimpleName());
        }
    }

    private static RestAuthorizer createClient(String str, String str2) {
        HashMap hashMap = new HashMap();
        hashMap.put("confluent.metadata.bootstrap.server.urls", MdsConfigUtil.DEFAULT_HTTP_ADVERTISED_LISTENER);
        hashMap.put("confluent.metadata.http.auth.credentials.provider", BuiltInAuthProviders.HttpCredentialProviders.BASIC.name());
        hashMap.put("confluent.metadata.basic.auth.user.info", String.format("%s:%s", str, str2));
        hashMap.put("confluent.metadata.basic.auth.credentials.provider", BuiltInAuthProviders.BasicAuthCredentialProviders.USER_INFO.name());
        RestAuthorizer restAuthorizer = new RestAuthorizer();
        restAuthorizer.configure(hashMap);
        return restAuthorizer;
    }

    private static String encryptLdapPassword(String str) throws Exception {
        return "{MD5}" + DatatypeConverter.printBase64Binary(MessageDigest.getInstance("MD5").digest(str.getBytes(StandardCharsets.UTF_8)));
    }
}
