package integration.rbacapi.api.v1;

import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.entities.ResourcesRequest;
import io.confluent.rbacapi.entities.VisibilityRequest;
import io.confluent.rbacapi.entities.VisibilityResponse;
import io.confluent.rbacapi.retrofit.v1.V1RbacRestApi;
import io.confluent.rbacapi.retrofit.v1.V1RbacRetrofitFactory;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.testing.TestIndependenceUtil;
import io.confluent.testing.ldap.client.ExampleComLdapCrud;
import io.confluent.testing.ldap.client.LdapCrud;
import io.confluent.testing.ldap.server.LdapServer;
import java.io.IOException;
import java.net.ConnectException;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang.StringUtils;
import org.apache.kafka.common.resource.PatternType;
import org.awaitility.Awaitility;
import org.testng.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
import utils.ApiValidationUtil;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;
import utils.ScopeBuilder;

@Test(groups = {"classParallelTests"})
/* loaded from: input_file:integration/rbacapi/api/v1/VisibilityEndpointTest.class */
public class VisibilityEndpointTest {
    private static final String BROKER_USER = "kafka";
    private RbacClusters rbacClusters;
    private LdapServer ldapServer;
    private LdapCrud ldapCrud;
    private int actualMdsPort;
    private V1RbacRestApi superUserClient;
    private String mdsClusterId;
    private String secondaryClusterId;
    private MdsScope mdsKafkaScope;
    private MdsScope secondaryKafkaScope;

    @BeforeClass
    public void setUp() throws Exception {
        this.ldapServer = LdapServer.defaultServerNoUsers().start();
        int actualPort = this.ldapServer.actualPort();
        this.ldapCrud = new ExampleComLdapCrud(actualPort);
        this.ldapCrud.createUser("kafka");
        this.rbacClusters = new RbacClusters(KafkaConfigTool.justLDAPv1(actualPort, "kafka"));
        this.actualMdsPort = MdsTestUtil.lookupActualMdsPort(this.rbacClusters);
        this.superUserClient = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, "kafka");
        this.mdsClusterId = this.rbacClusters.metadataClusterId();
        this.mdsKafkaScope = new MdsScope(Scope.kafkaClusterScope(this.mdsClusterId));
        this.secondaryClusterId = this.rbacClusters.kafkaClusterId();
        this.secondaryKafkaScope = new MdsScope(Scope.kafkaClusterScope(this.secondaryClusterId));
        Awaitility.given().ignoreException(ConnectException.class).await().atMost(30L, TimeUnit.SECONDS).until(() -> {
            return Boolean.valueOf(this.superUserClient.getRoleNames().execute().isSuccessful());
        });
    }

    @AfterClass
    public void tearDown() {
        this.ldapServer.stop();
        this.rbacClusters.shutdown();
        MdsTestUtil.releasePort(this.actualMdsPort);
    }

    public void verifyClusterRoleOnTwoKafkas() throws Throwable {
        String str = "TestUser-" + TestIndependenceUtil.getUniqueInteger();
        String str2 = "User:" + str;
        this.ldapCrud.createUser(str);
        V1RbacRestApi build = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str);
        verifyPrincipalHasNoRoles(str2, this.mdsKafkaScope);
        verifyPrincipalHasNoRoles(str2, this.secondaryKafkaScope);
        List<VisibilityRequest> asList = Arrays.asList(new VisibilityRequest(this.mdsClusterId, Collections.emptyList(), Collections.emptyList(), Collections.emptyList()), new VisibilityRequest(this.secondaryClusterId, Collections.emptyList(), Collections.emptyList(), Collections.emptyList()));
        List list = (List) build.getVisibilityForPrincipal(str2, asList).execute().body();
        Assert.assertEquals(((VisibilityResponse) list.get(0)).kafkaCluster.id, this.mdsClusterId);
        Assert.assertFalse(((VisibilityResponse) list.get(0)).kafkaCluster.visible);
        Assert.assertEquals(((VisibilityResponse) list.get(1)).kafkaCluster.id, this.secondaryClusterId);
        Assert.assertFalse(((VisibilityResponse) list.get(1)).kafkaCluster.visible);
        Assert.assertEquals(204, this.superUserClient.addClusterRoleForPrincipal(str2, "Operator", this.mdsKafkaScope).execute().code());
        List list2 = (List) build.getVisibilityForPrincipal(str2, asList).execute().body();
        Assert.assertEquals(((VisibilityResponse) list2.get(0)).kafkaCluster.id, this.mdsClusterId);
        Assert.assertTrue(((VisibilityResponse) list2.get(0)).kafkaCluster.visible);
        Assert.assertEquals(((VisibilityResponse) list2.get(1)).kafkaCluster.id, this.secondaryClusterId);
        Assert.assertFalse(((VisibilityResponse) list2.get(1)).kafkaCluster.visible);
        Assert.assertEquals(204, this.superUserClient.addClusterRoleForPrincipal(str2, "Operator", this.secondaryKafkaScope).execute().code());
        List list3 = (List) build.getVisibilityForPrincipal(str2, asList).execute().body();
        Assert.assertEquals(((VisibilityResponse) list3.get(0)).kafkaCluster.id, this.mdsClusterId);
        Assert.assertTrue(((VisibilityResponse) list3.get(0)).kafkaCluster.visible);
        Assert.assertEquals(((VisibilityResponse) list3.get(1)).kafkaCluster.id, this.secondaryClusterId);
        Assert.assertTrue(((VisibilityResponse) list3.get(1)).kafkaCluster.visible);
    }

    @Test
    public void verifyGroupLevelClusterVisibility() throws Throwable {
        String str = "TestUser-" + TestIndependenceUtil.getUniqueInteger();
        String str2 = "User:" + str;
        String str3 = "TestGroup-" + TestIndependenceUtil.getUniqueInteger();
        String str4 = "Group:" + str3;
        this.ldapCrud.createUser(str);
        this.ldapCrud.addUserToGroup(str, str3);
        V1RbacRestApi build = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str);
        ApiValidationUtil.verifyPrincipalHasNoRoles(this.superUserClient, str2, this.secondaryClusterId);
        ApiValidationUtil.verifyPrincipalHasNoRoles(this.superUserClient, str4, this.secondaryClusterId);
        Assert.assertEquals(204, this.superUserClient.addClusterRoleForPrincipal(str4, "ClusterAdmin", this.secondaryKafkaScope).execute().code());
        Awaitility.await().atMost(5L, TimeUnit.SECONDS).untilAsserted(() -> {
            List list = (List) this.superUserClient.getRoleNamesForPrincipal(str2, this.secondaryKafkaScope).execute().body();
            Assert.assertNotNull(list);
            Assert.assertEquals(list.size(), 1);
            Assert.assertEquals((String) list.get(0), "ClusterAdmin");
        });
        List<VisibilityRequest> asList = Arrays.asList(new VisibilityRequest(this.secondaryClusterId, Collections.emptyList(), Collections.emptyList(), Collections.emptyList()), new VisibilityRequest("NegativeTest_OtherCluster", Collections.emptyList(), Collections.emptyList(), Collections.emptyList()));
        List list = (List) build.getVisibilityForPrincipal(str2, asList).execute().body();
        VisibilityResponse visibilityResponse = (VisibilityResponse) list.get(0);
        Assert.assertEquals(this.secondaryClusterId, visibilityResponse.kafkaCluster.id, "Cluster Id should match");
        Assert.assertTrue(visibilityResponse.kafkaCluster.visible);
        VisibilityResponse visibilityResponse2 = (VisibilityResponse) list.get(1);
        Assert.assertEquals("NegativeTest_OtherCluster", visibilityResponse2.kafkaCluster.id, "Cluster Id should match");
        Assert.assertFalse(visibilityResponse2.kafkaCluster.visible);
        Assert.assertEquals(204, this.superUserClient.removeRoleForPrincipal(str4, "ClusterAdmin", this.secondaryKafkaScope).execute().code());
        ApiValidationUtil.verifyPrincipalHasNoRoles(this.superUserClient, str4, this.secondaryClusterId);
        ApiValidationUtil.verifyPrincipalHasNoRoles(this.superUserClient, str2, this.secondaryClusterId);
        List list2 = (List) build.getVisibilityForPrincipal(str2, asList).execute().body();
        Assert.assertFalse(((VisibilityResponse) list2.get(0)).kafkaCluster.visible);
        Assert.assertFalse(((VisibilityResponse) list2.get(1)).kafkaCluster.visible);
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(parallel = true)
    public Object[][] clusterVisibilityData() {
        return new Object[]{new Object[]{"c1", ScopeBuilder.withKafka(this.secondaryClusterId).withConnect("c1").build(), "Connector", "Sushi"}, new Object[]{"s1", ScopeBuilder.withKafka(this.secondaryClusterId).withSR("s1").build(), "Subject", "Sushi"}, new Object[]{"k1", ScopeBuilder.withKafka(this.secondaryClusterId).withKSQL("k1").build(), "KsqlCluster", "ksql-cluster"}};
    }

    @Test(dataProvider = "clusterVisibilityData")
    public void verifySubCluster_ResourceRoles(String str, MdsScope mdsScope, String str2, String str3) throws Throwable {
        String str4 = "TestUser-" + TestIndependenceUtil.getUniqueInteger();
        String str5 = "User:" + str4;
        this.ldapCrud.createUser(str4);
        V1RbacRestApi build = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str4);
        List singletonList = Collections.singletonList(new ResourcePattern(str2, str3, PatternType.LITERAL));
        ApiValidationUtil.verifyPrincipalHasNoRoles(this.superUserClient, str5, this.secondaryClusterId);
        ApiValidationUtil.verifyPrincipalHasNoRoles(this.superUserClient, str5, mdsScope);
        Assert.assertEquals(204, this.superUserClient.addRoleResourcesForPrincipal(str5, "DeveloperWrite", new ResourcesRequest(mdsScope, singletonList)).execute().code());
        List<VisibilityRequest> singletonList2 = Collections.singletonList(new VisibilityRequest(this.secondaryClusterId, Collections.singletonList("c1"), Collections.singletonList("s1"), Collections.singletonList("k1")));
        VisibilityResponse visibilityResponse = (VisibilityResponse) ((List) build.getVisibilityForPrincipal(str5, singletonList2).execute().body()).get(0);
        Assert.assertFalse(visibilityResponse.kafkaCluster.visible);
        for (VisibilityResponse.ClusterVisibility clusterVisibility : (List) Stream.concat(Stream.concat(visibilityResponse.connectClusters.stream(), visibilityResponse.schemaRegistryClusters.stream()), visibilityResponse.ksqlClusters.stream()).collect(Collectors.toList())) {
            if (StringUtils.equals(str, clusterVisibility.id)) {
                Assert.assertTrue(clusterVisibility.visible, "Positive Test : The valid sub-clusterId should be visible");
            } else {
                Assert.assertFalse(clusterVisibility.visible, "Negative Test: Other sub-clusters should not be visible");
            }
        }
        Assert.assertEquals(204, this.superUserClient.removeRoleForPrincipal(str5, "DeveloperWrite", mdsScope).execute().code());
        ApiValidationUtil.verifyPrincipalHasNoRoles(this.superUserClient, str5, mdsScope);
        ApiValidationUtil.verifyPrincipalHasNoRoles(this.superUserClient, str5, mdsScope);
        VisibilityResponse visibilityResponse2 = (VisibilityResponse) ((List) build.getVisibilityForPrincipal(str5, singletonList2).execute().body()).get(0);
        Assert.assertFalse(visibilityResponse2.kafkaCluster.visible);
        for (VisibilityResponse.ClusterVisibility clusterVisibility2 : (List) Stream.concat(Stream.concat(visibilityResponse2.connectClusters.stream(), visibilityResponse2.schemaRegistryClusters.stream()), visibilityResponse2.ksqlClusters.stream()).collect(Collectors.toList())) {
            if (StringUtils.equals(str, clusterVisibility2.id)) {
                Assert.assertFalse(clusterVisibility2.visible, "No sub-clusters should be visible");
            }
        }
    }

    @Test(dataProvider = "clusterVisibilityData")
    public void verifySubCluster_ClusterRoles(String str, MdsScope mdsScope, String str2, String str3) throws Throwable {
        String str4 = "TestUser-" + TestIndependenceUtil.getUniqueInteger();
        String str5 = "User:" + str4;
        this.ldapCrud.createUser(str4);
        V1RbacRestApi build = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str4);
        ApiValidationUtil.verifyPrincipalHasNoRoles(this.superUserClient, str5, this.secondaryClusterId);
        ApiValidationUtil.verifyPrincipalHasNoRoles(this.superUserClient, str5, mdsScope);
        Assert.assertEquals(204, this.superUserClient.addClusterRoleForPrincipal(str5, "ClusterAdmin", mdsScope).execute().code());
        List<VisibilityRequest> singletonList = Collections.singletonList(new VisibilityRequest(this.secondaryClusterId, Collections.singletonList("c1"), Collections.singletonList("s1"), Collections.singletonList("k1")));
        VisibilityResponse visibilityResponse = (VisibilityResponse) ((List) build.getVisibilityForPrincipal(str5, singletonList).execute().body()).get(0);
        Assert.assertFalse(visibilityResponse.kafkaCluster.visible);
        for (VisibilityResponse.ClusterVisibility clusterVisibility : (List) Stream.concat(Stream.concat(visibilityResponse.connectClusters.stream(), visibilityResponse.schemaRegistryClusters.stream()), visibilityResponse.ksqlClusters.stream()).collect(Collectors.toList())) {
            if (StringUtils.equals(str, clusterVisibility.id)) {
                Assert.assertTrue(clusterVisibility.visible, "Positive Test : The valid sub-clusterId should be visible");
            } else {
                Assert.assertFalse(clusterVisibility.visible, "Negative Test : Other sub-clusters should not be visible");
            }
        }
        Assert.assertEquals(204, this.superUserClient.removeRoleForPrincipal(str5, "ClusterAdmin", mdsScope).execute().code());
        ApiValidationUtil.verifyPrincipalHasNoRoles(this.superUserClient, str5, mdsScope);
        ApiValidationUtil.verifyPrincipalHasNoRoles(this.superUserClient, str5, mdsScope);
        VisibilityResponse visibilityResponse2 = (VisibilityResponse) ((List) build.getVisibilityForPrincipal(str5, singletonList).execute().body()).get(0);
        Assert.assertFalse(visibilityResponse2.kafkaCluster.visible);
        for (VisibilityResponse.ClusterVisibility clusterVisibility2 : (List) Stream.concat(Stream.concat(visibilityResponse2.connectClusters.stream(), visibilityResponse2.schemaRegistryClusters.stream()), visibilityResponse2.ksqlClusters.stream()).collect(Collectors.toList())) {
            if (StringUtils.equals(str, clusterVisibility2.id)) {
                Assert.assertFalse(clusterVisibility2.visible, "No sub-clusters should be visible");
            }
        }
    }

    private List<String> lookupRolesForPrincipal(String str, MdsScope mdsScope) throws IOException {
        return (List) this.superUserClient.getRoleNamesForPrincipal(str, mdsScope).execute().body();
    }

    private void verifyPrincipalHasNoRoles(String str, MdsScope mdsScope) throws IOException {
        List<String> lookupRolesForPrincipal = lookupRolesForPrincipal(str, mdsScope);
        Assert.assertNotNull(lookupRolesForPrincipal);
        Assert.assertEquals(0, lookupRolesForPrincipal.size());
    }
}
