package integration.rbacapi.api;

import io.confluent.rbacapi.entities.AuthorizeRequest;
import io.confluent.rbacapi.entities.ResourcesRequest;
import io.confluent.rbacapi.retrofit.RbacRestApi;
import io.confluent.rbacapi.retrofit.RbacRetrofitFactory;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.testing.TestIndependenceUtil;
import io.confluent.testing.ldap.client.ExampleComLdapCrud;
import io.confluent.testing.ldap.client.LdapCrud;
import io.confluent.testing.ldap.server.LdapServer;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.junit.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;
import retrofit2.Response;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;
import utils.ScopeBuilder;

@Test(groups = {"parallelTests"})
/* loaded from: input_file:integration/rbacapi/api/ClusterResourceTypeTest.class */
public class ClusterResourceTypeTest {
    private static final String BROKER_USER = "kafka";
    private static RbacClusters rbacClusters;
    private static LdapServer ldapServer;
    private static LdapCrud ldapCrud;
    private static final String USER_ADMIN = "user-admin";
    private static RbacRestApi userAdminClient;
    private static int actualMdsPort;

    @BeforeClass
    public static void setUp() throws Exception {
        ldapServer = LdapServer.defaultServerNoUsers().start();
        int actualPort = ldapServer.actualPort();
        ldapCrud = new ExampleComLdapCrud(actualPort);
        ldapCrud.createUser(USER_ADMIN);
        rbacClusters = new RbacClusters(KafkaConfigTool.justLDAP(actualPort, BROKER_USER));
        actualMdsPort = MdsTestUtil.lookupActualMdsPort(rbacClusters);
        userAdminClient = RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, actualMdsPort, USER_ADMIN, USER_ADMIN);
    }

    @AfterClass
    public static void tearDown() {
        ldapServer.stop();
        rbacClusters.shutdown();
        MdsTestUtil.releasePort(actualMdsPort);
    }

    @Test
    public void kafkaClusterResourceTest() throws Throwable {
        Scope build = ScopeBuilder.withKafka("kafka-" + TestIndependenceUtil.getUniqueInteger()).build();
        rbacClusters.assignRole("User", USER_ADMIN, "UserAdmin", build, Collections.emptySet());
        KafkaPrincipal userPrincipal = userPrincipal("testUser-" + TestIndependenceUtil.getUniqueInteger());
        ldapCrud.createUser(userPrincipal.getName());
        Assert.assertEquals(204L, userAdminClient.addRoleResourcesForPrincipal(userPrincipal.toString(), "ResourceOwner", new ResourcesRequest(build, Arrays.asList(new ResourcePattern("Cluster", "kafka-cluster", PatternType.LITERAL), new ResourcePattern("Topic", "topic-A", PatternType.LITERAL)))).execute().code());
        Response execute = RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, actualMdsPort, userPrincipal.getName(), userPrincipal.getName()).authorize(new AuthorizeRequest(userPrincipal.toString(), Arrays.asList(new Action(build, new ResourceType("Cluster"), "kafka-cluster", new Operation("DescribeConfigs")), new Action(build, new ResourceType("Topic"), "topic-A", new Operation("Read")), new Action(build, new ResourceType("Topic"), "topic-B", new Operation("Read")), new Action(build, new ResourceType("Topic"), "kafka-cluster", new Operation("Read"))))).execute();
        Assert.assertEquals(200L, execute.code());
        List list = (List) execute.body();
        Assert.assertEquals(4L, list.size());
        Assert.assertEquals(AuthorizeResult.ALLOWED, list.get(0));
        Assert.assertEquals(AuthorizeResult.ALLOWED, list.get(1));
        Assert.assertEquals(AuthorizeResult.DENIED, list.get(2));
        Assert.assertEquals(AuthorizeResult.DENIED, list.get(3));
        KafkaPrincipal userPrincipal2 = userPrincipal("testUser-" + TestIndependenceUtil.getUniqueInteger());
        ldapCrud.createUser(userPrincipal.getName());
        Assert.assertEquals(204L, userAdminClient.addRoleResourcesForPrincipal(userPrincipal2.toString(), "DeveloperWrite", new ResourcesRequest(build, Arrays.asList(new ResourcePattern("Cluster", "kafka-cluster", PatternType.LITERAL), new ResourcePattern("Topic", "topic-A", PatternType.LITERAL), new ResourcePattern("Topic", "topic-B", PatternType.LITERAL)))).execute().code());
        Assert.assertEquals(204L, r0.removeRoleResourcesForPrinpipal(userPrincipal2.toString(), "DeveloperWrite", new ResourcesRequest(build, Collections.singletonList(new ResourcePattern("Topic", "topic-A", PatternType.LITERAL)))).execute().code());
        Assert.assertEquals(403L, r0.removeRoleResourcesForPrinpipal(userPrincipal2.toString(), "DeveloperWrite", new ResourcesRequest(build, Collections.singletonList(new ResourcePattern("Topic", "topic-B", PatternType.LITERAL)))).execute().code());
        Assert.assertEquals(204L, r0.removeRoleResourcesForPrinpipal(userPrincipal2.toString(), "DeveloperWrite", new ResourcesRequest(build, Collections.singletonList(new ResourcePattern("Cluster", "kafka-cluster", PatternType.LITERAL)))).execute().code());
    }

    private static KafkaPrincipal userPrincipal(String str) {
        return new KafkaPrincipal("User", str);
    }
}
