package integration.rbacapi.kafka;

import io.confluent.rbacapi.entities.AuthorizeRequest;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.auth.client.acl.MdsAclClient;
import io.confluent.security.auth.client.provider.BuiltInAuthProviders;
import io.confluent.security.auth.client.rest.entities.AclFilter;
import io.confluent.security.auth.client.rest.entities.CreateAclsRequest;
import io.confluent.security.auth.client.rest.entities.DeleteAclsRequest;
import io.confluent.security.auth.client.rest.entities.DeleteAclsResult;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.PermissionType;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.acl.AclRule;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.testing.TestIndependenceUtil;
import io.confluent.testing.ldap.client.ExampleComLdapCrud;
import io.confluent.testing.ldap.server.LdapServer;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.junit.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;

@Test(groups = {"classParallelTests"})
/* loaded from: input_file:integration/rbacapi/kafka/AclClientIntegrationTest.class */
public class AclClientIntegrationTest {
    private static final String CLUSTER = "testCluster";
    private static final String BROKER_USER = "kafka";
    private static LdapServer ldapServer;
    private static RbacClusters rbacClusters;
    private static int actualMdsPort;
    private static RestAuthorizer restAuthorizer;
    private static MdsAclClient aclClient;

    @BeforeClass
    public static void setUp() throws Throwable {
        ldapServer = LdapServer.defaultServerNoUsers().start();
        int actualPort = ldapServer.actualPort();
        new ExampleComLdapCrud(actualPort).createUsers(new String[]{"kafka"});
        rbacClusters = new RbacClusters(KafkaConfigTool.justLDAPv1(actualPort, "kafka").overrideMetadataBrokerConfig("super.users", "User:ANONYMOUS;User:kafka"));
        actualMdsPort = MdsTestUtil.lookupActualMdsPort(rbacClusters);
        HashMap hashMap = new HashMap();
        hashMap.put("confluent.metadata.bootstrap.server.urls", "http://localhost:" + actualMdsPort);
        hashMap.put("confluent.metadata.http.auth.credentials.provider", BuiltInAuthProviders.HttpCredentialProviders.BASIC.name());
        hashMap.put("confluent.metadata.basic.auth.user.info", String.format("%s:%s", "kafka", "kafka"));
        restAuthorizer = new RestAuthorizer();
        restAuthorizer.configure(hashMap);
        aclClient = new MdsAclClient();
        aclClient.configure(hashMap);
    }

    @AfterClass
    public static void tearDown() throws Exception {
        ldapServer.stop();
        rbacClusters.shutdown();
        MdsTestUtil.releasePort(actualMdsPort);
    }

    @Test
    public void aclRestClientTest() {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", "TestUser-" + TestIndependenceUtil.getUniqueInteger());
        KafkaPrincipal kafkaPrincipal2 = new KafkaPrincipal("User", "TestUser-" + TestIndependenceUtil.getUniqueInteger());
        Scope kafkaClusterScope = Scope.kafkaClusterScope(CLUSTER);
        AuthorizeRequest authorizeRequest = new AuthorizeRequest(kafkaPrincipal.toString(), "192.168.9.1", Collections.singletonList(new Action(Scope.kafkaClusterScope(CLUSTER), new ResourceType("Topic"), "TopicA", new Operation("Read"))));
        verifySingletonAuthorizeCall(authorizeRequest, AuthorizeResult.DENIED);
        AclBinding aclBinding = new AclBinding(ResourcePattern.to(new ResourcePattern(new ResourceType("Topic"), "TopicA", PatternType.LITERAL)), new AclRule(kafkaPrincipal, PermissionType.ALLOW, "192.168.9.1", new Operation("Read")).toAccessControlEntry());
        aclClient.createAcls(new CreateAclsRequest(kafkaClusterScope, Collections.singletonList(aclBinding)));
        verifySingletonAuthorizeCall(authorizeRequest, AuthorizeResult.ALLOWED);
        AclBinding aclBinding2 = new AclBinding(ResourcePattern.to(new ResourcePattern(new ResourceType("Topic"), "Topic", PatternType.PREFIXED)), new AclRule(kafkaPrincipal2, PermissionType.ALLOW, "*", new Operation("Read")).toAccessControlEntry());
        aclClient.createAcls(new CreateAclsRequest(kafkaClusterScope, Collections.singletonList(aclBinding2)));
        verifySingletonAuthorizeCall(new AuthorizeRequest(kafkaPrincipal2.toString(), "192.168.9.1", Collections.singletonList(new Action(Scope.kafkaClusterScope(CLUSTER), new ResourceType("Topic"), "TopicA", new Operation("Read")))), AuthorizeResult.ALLOWED);
        AclBinding aclBinding3 = new AclBinding(ResourcePattern.to(new ResourcePattern(new ResourceType("Cluster"), "kafka-cluster", PatternType.LITERAL)), new AclRule(kafkaPrincipal2, PermissionType.ALLOW, "*", new Operation("All")).toAccessControlEntry());
        aclClient.createAcls(new CreateAclsRequest(kafkaClusterScope, Collections.singletonList(aclBinding3)));
        HashSet hashSet = new HashSet();
        hashSet.add(aclBinding);
        hashSet.add(aclBinding2);
        hashSet.add(aclBinding3);
        Assert.assertEquals(hashSet, new HashSet(allBindings(kafkaClusterScope)));
        Assert.assertEquals(Collections.singleton(aclBinding), new HashSet(((DeleteAclsResult.DeleteResult) aclClient.deleteAcls(new DeleteAclsRequest(kafkaClusterScope, Collections.singletonList(aclBinding.toFilter()))).resultMap.get(aclBinding.toFilter())).aclBindings));
        HashSet hashSet2 = new HashSet();
        hashSet2.add(aclBinding2);
        hashSet2.add(aclBinding3);
        Assert.assertEquals(hashSet2, new HashSet(allBindings(kafkaClusterScope)));
        Assert.assertEquals(hashSet2, new HashSet(((DeleteAclsResult.DeleteResult) aclClient.deleteAcls(new DeleteAclsRequest(kafkaClusterScope, Collections.singletonList(AclBindingFilter.ANY))).resultMap.get(AclBindingFilter.ANY)).aclBindings));
        Assert.assertTrue(allBindings(kafkaClusterScope).isEmpty());
    }

    @Test(expectedExceptions = {RuntimeException.class})
    public void testWithBadClientCertificate() throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("confluent.metadata.bootstrap.server.urls", "https://localhost:" + actualMdsPort);
        hashMap.put("confluent.metadata.request.timeout.ms", 200);
        hashMap.put("confluent.metadata.http.request.timeout.ms", 600);
        aclClient = new MdsAclClient();
        aclClient.configure(hashMap);
        Scope kafkaClusterScope = Scope.kafkaClusterScope(CLUSTER);
        aclClient.createAcls(new CreateAclsRequest(kafkaClusterScope, allBindings(kafkaClusterScope)));
    }

    private Collection<AclBinding> allBindings(Scope scope) {
        return aclClient.describeAcls(new AclFilter(scope, AclBindingFilter.ANY));
    }

    private void verifySingletonAuthorizeCall(AuthorizeRequest authorizeRequest, AuthorizeResult authorizeResult) {
        List authorize = restAuthorizer.authorize(SecurityUtils.parseKafkaPrincipal(authorizeRequest.userPrincipal), authorizeRequest.host, authorizeRequest.actions);
        Assert.assertEquals(1L, authorize.size());
        Assert.assertEquals(authorizeResult, authorize.get(0));
    }
}
