package integration.rbacapi.kafka;

import integration.rbacapi.api.LookupTest;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.auth.client.provider.BuiltInAuthProviders;
import io.confluent.security.auth.client.rest.RestClient;
import io.confluent.security.auth.client.rest.exceptions.RestClientException;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.testing.ldap.client.ExampleComLdapCrud;
import io.confluent.testing.ldap.client.LdapCrud;
import io.confluent.testing.ldap.server.LdapServer;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.Utils;
import org.awaitility.Awaitility;
import org.junit.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;

@Test(groups = {"classParallelTests"})
/* loaded from: input_file:integration/rbacapi/kafka/RestClientIntegrationTest.class */
public class RestClientIntegrationTest {
    private static final String BROKER_USER = "kafka";
    private static final String DEVELOPER_GROUP = "app-developers";
    private static final String APP1_TOPIC = "app1-topic";
    private static final String APP1_CONSUMER_GROUP = "app1-consumer-group";
    private static final String APP2_TOPIC = "app2-topic";
    private static final String APP2_CONSUMER_GROUP = "app2-consumer-group";
    private static final String A_USER_ADMIN = "A_user-admin";
    private static final String A_USER_ADMIN_PASSWORD = "A_user-admin-password";
    private static final String A_SYSTEM_ADMIN = "A_system-admin";
    private static final String A_DEVELOPER1 = "A_app1-developer";
    private static final String A_DEVELOPER2 = "A_app2-developer";
    private static final String A_RESOURCE_OWNER = "A_resourceOwner1";
    private static final String A_OPERATOR = "A_operator1";
    private static final String B_USER_ADMIN = "B_user-admin";
    private static final String B_USER_ADMIN_PASSWORD = "B_user-admin-password";
    private static final String B_SYSTEM_ADMIN = "B_system-admin";
    private static final String B_DEVELOPER1 = "B_app1-developer";
    private static final String B_DEVELOPER2 = "B_app2-developer";
    private static final String B_RESOURCE_OWNER = "B_resourceOwner1";
    private static final String B_OPERATOR = "B_operator1";
    private static final String C_USER_ADMIN = "A_user-admin";
    private static final String C_USER_ADMIN_PASSWORD = "A_user-admin-password";
    private static final String C_SYSTEM_ADMIN = "C_user-admin";
    private static final String C_DEVELOPER1 = "C_app1-developer";
    private static final String C_DEVELOPER2 = "C_app2-developer";
    private static final String C_RESOURCE_OWNER = "C_resourceOwner1";
    private static final String C_OPERATOR = "C_operator1";
    private static String clusterId;
    private static LdapServer ldapServer;
    private static RbacClusters rbacClusters;
    private static int actualMdsPort;
    private static int mdsTestPort = MdsTestUtil.getUniqueishMdsPort();
    private static LdapCrud ldapCrud = new ExampleComLdapCrud();
    private static Map<String, RestAuthorizer> restAuthorizers = new HashMap();

    @BeforeClass
    public static void setUp() throws Throwable {
        ldapServer = LdapServer.defaultServerNoUsers().start();
        int actualPort = ldapServer.actualPort();
        ldapCrud = new ExampleComLdapCrud(actualPort);
        ldapCrud.createUser("A_user-admin", "A_user-admin-password");
        ldapCrud.createUser(B_USER_ADMIN, B_USER_ADMIN_PASSWORD);
        ldapCrud.createUser("A_user-admin", "A_user-admin-password");
        rbacClusters = new RbacClusters(KafkaConfigTool.justLDAP(actualPort, mdsTestPort, BROKER_USER));
        actualMdsPort = MdsTestUtil.lookupActualMdsPort(rbacClusters);
        Iterator it = Arrays.asList("A_user-admin", "A_user-admin-password", B_USER_ADMIN, B_USER_ADMIN_PASSWORD, "A_user-admin", "A_user-admin-password").iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            String str2 = (String) it.next();
            HashMap hashMap = new HashMap();
            hashMap.put("confluent.metadata.bootstrap.server.urls", "http://localhost:" + actualMdsPort);
            hashMap.put("confluent.metadata.http.auth.credentials.provider", BuiltInAuthProviders.HttpCredentialProviders.BASIC.name());
            hashMap.put("confluent.metadata.basic.auth.user.info", String.format("%s:%s", str, str2));
            restAuthorizers.put(str, new RestAuthorizer(new RestClient(hashMap)));
        }
        clusterId = rbacClusters.kafkaClusterId();
        rbacClusters.kafkaCluster.createTopic(APP1_TOPIC, 2, 1);
        rbacClusters.kafkaCluster.createTopic(APP2_TOPIC, 2, 1);
        initializeRoles();
    }

    @AfterClass
    public static void tearDown() {
        try {
            Iterator<RestAuthorizer> it = restAuthorizers.values().iterator();
            while (it.hasNext()) {
                it.next().close();
            }
            ldapServer.stop();
            rbacClusters.shutdown();
            MdsTestUtil.releasePort(actualMdsPort);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    @Test
    public void testA_testAuthorizationAccessControl() {
        RestAuthorizer restAuthorizer = restAuthorizers.get("A_user-admin");
        Action action = new Action(Scope.kafkaClusterScope(clusterId), new ResourceType("Topic"), APP1_TOPIC, new Operation("Write"));
        Action action2 = new Action(Scope.kafkaClusterScope(clusterId), new ResourceType("Topic"), APP1_TOPIC, new Operation("Read"));
        Action action3 = new Action(Scope.kafkaClusterScope("anotherCluster"), new ResourceType("Topic"), APP1_TOPIC, new Operation("Read"));
        verifyAuthorizeCall(restAuthorizer, userPrincipal("A_user-admin"), action, false);
        verifyAuthorizeCall(restAuthorizer, userPrincipal("A_user-admin"), action3, false);
        verifyAuthorizeNoAccess(restAuthorizer, userPrincipal(A_SYSTEM_ADMIN), action);
        verifyAuthorizeNoAccess(restAuthorizer, userPrincipal(A_DEVELOPER1), action);
        List<Action> asList = Arrays.asList(action, action2);
        List<Action> asList2 = Arrays.asList(action, action3, action2);
        verifyAuthorizeCalls(restAuthorizer, userPrincipal("A_user-admin"), asList, Arrays.asList(false, false));
        verifyAuthorizeNoAccess(restAuthorizer, userPrincipal(A_DEVELOPER1), asList);
        verifyAuthorizeNoAccess(restAuthorizer, userPrincipal(A_DEVELOPER1), asList2);
        makeUserAdmin("A_user-admin");
        verifyAuthorizeCalls(restAuthorizer, userPrincipal(A_DEVELOPER1), asList, Arrays.asList(true, true));
        verifyAuthorizeNoAccess(restAuthorizer, userPrincipal(A_DEVELOPER1), asList2);
        verifyAuthorizeCalls(restAuthorizer, userPrincipal("A_user-admin"), asList2, Arrays.asList(false, false, false));
    }

    @Test
    public void testB_testAuthorization() {
        RestAuthorizer restAuthorizer = restAuthorizers.get(B_USER_ADMIN);
        makeUserAdmin(B_USER_ADMIN);
        Action action = new Action(Scope.kafkaClusterScope(clusterId), new ResourceType("Topic"), APP1_TOPIC, new Operation("Write"));
        verifyAuthorizeCall(restAuthorizer, userPrincipal(B_SYSTEM_ADMIN), action, true);
        verifyAuthorizeCall(restAuthorizer, userPrincipal(B_DEVELOPER1), action, true);
        verifyAuthorizeCall(restAuthorizer, userPrincipal(B_RESOURCE_OWNER), action, true);
        verifyAuthorizeCall(restAuthorizer, userPrincipal(B_DEVELOPER2), action, false);
        Action action2 = new Action(Scope.kafkaClusterScope(clusterId), new ResourceType(LookupTest.GROUP_TYPE), APP1_CONSUMER_GROUP, new Operation("Read"));
        verifyAuthorizeCall(restAuthorizer, userPrincipal(B_SYSTEM_ADMIN), action2, true);
        verifyAuthorizeCall(restAuthorizer, userPrincipal(B_DEVELOPER1), action2, true);
        verifyAuthorizeCall(restAuthorizer, userPrincipal(B_RESOURCE_OWNER), action2, true);
        verifyAuthorizeCall(restAuthorizer, userPrincipal(B_DEVELOPER2), action2, false);
        Action action3 = new Action(Scope.kafkaClusterScope(clusterId), new ResourceType("Topic"), APP2_TOPIC, new Operation("Write"));
        verifyAuthorizeCall(restAuthorizer, userPrincipal(B_SYSTEM_ADMIN), action3, true);
        verifyAuthorizeCall(restAuthorizer, userPrincipal(B_DEVELOPER2), action3, true);
        verifyAuthorizeCall(restAuthorizer, userPrincipal(B_RESOURCE_OWNER), action3, true);
        verifyAuthorizeCall(restAuthorizer, userPrincipal(B_DEVELOPER1), action3, false);
        Action action4 = new Action(Scope.kafkaClusterScope(clusterId), new ResourceType(LookupTest.GROUP_TYPE), APP2_CONSUMER_GROUP, new Operation("Read"));
        verifyAuthorizeCall(restAuthorizer, userPrincipal(B_SYSTEM_ADMIN), action4, true);
        verifyAuthorizeCall(restAuthorizer, userPrincipal(B_DEVELOPER2), action4, true);
        verifyAuthorizeCall(restAuthorizer, userPrincipal(B_RESOURCE_OWNER), action4, true);
        verifyAuthorizeCall(restAuthorizer, userPrincipal(B_DEVELOPER1), action4, false);
        Action action5 = new Action(Scope.kafkaClusterScope("Unknown"), new ResourceType("Topic"), APP1_TOPIC, new Operation("Write"));
        verifyAuthorizeNoAccess(restAuthorizer, userPrincipal(B_SYSTEM_ADMIN), action5);
        verifyAuthorizeNoAccess(restAuthorizer, userPrincipal(B_DEVELOPER1), action5);
        verifyAuthorizeNoAccess(restAuthorizer, userPrincipal(B_DEVELOPER2), action5);
        verifyAuthorizeCalls(restAuthorizer, userPrincipal(B_DEVELOPER1), Arrays.asList(action, action, action4), Arrays.asList(true, true, false));
        verifyAuthorizeCalls(restAuthorizer, userPrincipal(B_DEVELOPER2), Arrays.asList(action2, action3, action2), Arrays.asList(false, true, false));
    }

    @Test
    public void testC_testAuthorizationForGroupRoles() throws Exception {
        RestAuthorizer restAuthorizer = restAuthorizers.get("A_user-admin");
        makeUserAdmin("A_user-admin");
        Action action = new Action(Scope.kafkaClusterScope(clusterId), new ResourceType("Topic"), APP1_TOPIC, new Operation("Read"));
        verifyAuthorizeCall(restAuthorizer, userPrincipal(C_DEVELOPER2), action, false);
        ldapCrud.addUserToGroup(C_DEVELOPER2, DEVELOPER_GROUP);
        rbacClusters.assignRole(LookupTest.GROUP_TYPE, DEVELOPER_GROUP, "DeveloperRead", clusterId, Utils.mkSet(new ResourcePattern[]{new ResourcePattern(LookupTest.GROUP_TYPE, APP1_CONSUMER_GROUP, PatternType.LITERAL), new ResourcePattern("Topic", APP1_TOPIC, PatternType.LITERAL)}));
        rbacClusters.assignRole(LookupTest.GROUP_TYPE, DEVELOPER_GROUP, "DeveloperWrite", clusterId, Utils.mkSet(new ResourcePattern[]{new ResourcePattern("Topic", APP1_TOPIC, PatternType.LITERAL)}));
        Awaitility.await().atMost(30L, TimeUnit.SECONDS).untilAsserted(() -> {
            Assert.assertEquals("Access not updated in time to ALLOWED", AuthorizeResult.ALLOWED, restAuthorizer.authorize(userPrincipal(C_DEVELOPER2), "", Collections.singletonList(action)).get(0));
        });
        Action action2 = new Action(Scope.kafkaClusterScope(clusterId), new ResourceType("Topic"), APP1_TOPIC, new Operation("Write"));
        verifyAuthorizeCall(restAuthorizer, userPrincipal(C_OPERATOR), action2, false);
        verifyAuthorizeCall(restAuthorizer, userPrincipal(C_DEVELOPER2), action2, true);
        Action action3 = new Action(Scope.kafkaClusterScope(clusterId), new ResourceType(LookupTest.GROUP_TYPE), APP1_CONSUMER_GROUP, new Operation("Read"));
        verifyAuthorizeCall(restAuthorizer, userPrincipal(C_OPERATOR), action3, false);
        verifyAuthorizeCall(restAuthorizer, userPrincipal(C_DEVELOPER2), action3, true);
    }

    private KafkaPrincipal userPrincipal(String str) {
        return new KafkaPrincipal("User", str);
    }

    private void makeUserAdmin(String str) {
        try {
            rbacClusters.assignRole("User", str, "UserAdmin", clusterId, Collections.emptySet());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private void verifyAuthorizeCall(RestAuthorizer restAuthorizer, KafkaPrincipal kafkaPrincipal, Action action, boolean z) {
        List authorize = restAuthorizer.authorize(kafkaPrincipal, "", Collections.singletonList(action));
        Assert.assertTrue(authorize.size() == 1);
        Assert.assertEquals(Boolean.valueOf(z), Boolean.valueOf(authorize.get(0) == AuthorizeResult.ALLOWED));
    }

    private void verifyAuthorizeNoAccess(RestAuthorizer restAuthorizer, KafkaPrincipal kafkaPrincipal, Action... actionArr) {
        verifyAuthorizeNoAccess(restAuthorizer, kafkaPrincipal, Arrays.asList(actionArr));
    }

    private void verifyAuthorizeNoAccess(RestAuthorizer restAuthorizer, KafkaPrincipal kafkaPrincipal, List<Action> list) {
        try {
            restAuthorizer.authorize(kafkaPrincipal, "", list);
            Assert.fail("Authorize request did not fail without permissions to authorize");
        } catch (Exception e) {
            Assert.assertTrue("Unexpected exception " + e, e.getCause() instanceof RestClientException);
            Assert.assertEquals(40301L, e.getCause().errorCode());
        }
    }

    private void verifyAuthorizeCalls(RestAuthorizer restAuthorizer, KafkaPrincipal kafkaPrincipal, List<Action> list, List<Boolean> list2) {
        List authorize = restAuthorizer.authorize(kafkaPrincipal, "", list);
        Assert.assertTrue(list.size() == authorize.size());
        for (int i = 0; i < list.size(); i++) {
            Assert.assertEquals(list2.get(i), Boolean.valueOf(authorize.get(i) == AuthorizeResult.ALLOWED));
        }
    }

    private static void initializeRoles() throws Exception {
        for (String str : Arrays.asList(C_DEVELOPER1, A_DEVELOPER1, B_DEVELOPER1)) {
            rbacClusters.assignRole("User", str, "DeveloperRead", clusterId, Utils.mkSet(new ResourcePattern[]{new ResourcePattern("Topic", APP1_TOPIC, PatternType.LITERAL), new ResourcePattern(LookupTest.GROUP_TYPE, APP1_CONSUMER_GROUP, PatternType.LITERAL)}));
            rbacClusters.assignRole("User", str, "DeveloperWrite", clusterId, Utils.mkSet(new ResourcePattern[]{new ResourcePattern("Topic", APP1_TOPIC, PatternType.LITERAL)}));
        }
        for (String str2 : Arrays.asList(C_DEVELOPER2, A_DEVELOPER2, B_DEVELOPER2)) {
            rbacClusters.assignRole("User", str2, "DeveloperRead", clusterId, Utils.mkSet(new ResourcePattern[]{new ResourcePattern("Topic", "app2", PatternType.PREFIXED), new ResourcePattern(LookupTest.GROUP_TYPE, "app2", PatternType.PREFIXED)}));
            rbacClusters.assignRole("User", str2, "DeveloperWrite", clusterId, Utils.mkSet(new ResourcePattern[]{new ResourcePattern("Topic", "app2", PatternType.PREFIXED)}));
        }
        Iterator it = Arrays.asList(B_RESOURCE_OWNER, C_RESOURCE_OWNER).iterator();
        while (it.hasNext()) {
            rbacClusters.assignRole("User", (String) it.next(), "ResourceOwner", clusterId, Utils.mkSet(new ResourcePattern[]{new ResourcePattern("Topic", "*", PatternType.LITERAL), new ResourcePattern(LookupTest.GROUP_TYPE, "*", PatternType.LITERAL)}));
        }
        Iterator it2 = Arrays.asList(B_OPERATOR, C_OPERATOR).iterator();
        while (it2.hasNext()) {
            rbacClusters.assignRole("User", (String) it2.next(), "Operator", clusterId, Collections.emptySet());
        }
        Iterator it3 = Arrays.asList(B_SYSTEM_ADMIN, C_SYSTEM_ADMIN).iterator();
        while (it3.hasNext()) {
            rbacClusters.assignRole("User", (String) it3.next(), "SystemAdmin", clusterId, Collections.emptySet());
        }
    }
}
