package integration.rbacapi.api.v1;

import com.google.common.collect.Sets;
import functional.stubs.StubApplicationUtil;
import io.confluent.rbacapi.entities.ClusterInfo;
import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.retrofit.v1.V1RbacRestApi;
import io.confluent.rbacapi.retrofit.v1.V1RbacRetrofitFactory;
import io.confluent.rbacapi.utils.ClusterType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.testing.TestIndependenceUtil;
import io.confluent.testing.ldap.client.ExampleComLdapCrud;
import io.confluent.testing.ldap.client.LdapCrud;
import io.confluent.testing.ldap.server.LdapServer;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.apache.kafka.common.resource.PatternType;
import org.awaitility.Awaitility;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.testng.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
import retrofit2.Response;
import utils.ClusterInfoUtil;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;
import utils.RoleCrudUtil;
import utils.ScopeBuilder;

@Test(groups = {"classParallelTests"})
/* loaded from: input_file:integration/rbacapi/api/v1/ClusterRegistryVisibilityTest.class */
public class ClusterRegistryVisibilityTest {
    private static final String BROKER_USER = "kafka";
    private RbacClusters rbacClusters;
    private LdapServer ldapServer;
    private LdapCrud ldapCrud;
    private V1RbacRestApi brokerSuperUserClient;
    private int actualMdsPort;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:integration/rbacapi/api/v1/ClusterRegistryVisibilityTest$ReadLevel.class */
    private enum ReadLevel {
        NO_ACCESS,
        REDACTED_ACCESS,
        FULL_ACCESS
    }

    @BeforeClass
    public void setUp() throws Exception {
        this.ldapServer = LdapServer.defaultServerNoUsers().start();
        int actualPort = this.ldapServer.actualPort();
        this.ldapCrud = new ExampleComLdapCrud(actualPort);
        this.ldapCrud.createUser("kafka");
        RbacClusters.Config justLDAPv1 = KafkaConfigTool.justLDAPv1(actualPort, "kafka");
        justLDAPv1.overrideMetadataBrokerConfig("confluent.metadata.server.cluster.registry.clusters", StubApplicationUtil.TEST_DEFAULT_CLUSTER_REGISTRY_JSON_BLOB);
        this.rbacClusters = new RbacClusters(justLDAPv1);
        this.actualMdsPort = MdsTestUtil.lookupActualMdsPort(this.rbacClusters);
        this.brokerSuperUserClient = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, "kafka");
    }

    @AfterClass
    public void tearDown() {
        this.ldapServer.stop();
        this.rbacClusters.shutdown();
        MdsTestUtil.releasePort(this.actualMdsPort);
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider
    public Object[][] superUser_FilterClustersByType() {
        return new Object[]{new Object[]{ClusterType.CONNECT_CLUSTER, 1}, new Object[]{ClusterType.KAFKA_CLUSTER, 1}, new Object[]{ClusterType.KSQL_CLUSTER, 1}, new Object[]{ClusterType.SCHEMA_REGISTRY_CLUSTER, 1}, new Object[]{ClusterType.NOT_SPECIFIED, 4}};
    }

    @Test(dataProvider = "superUser_FilterClustersByType")
    public void brokerAdmin_FilterClustersByTypeTest(ClusterType clusterType, int i) throws Throwable {
        List<ClusterInfo> list = (List) this.brokerSuperUserClient.getClusters(clusterType).execute().body();
        MatcherAssert.assertThat(list, CoreMatchers.notNullValue());
        MatcherAssert.assertThat(Integer.valueOf(list.size()), CoreMatchers.is(Integer.valueOf(i)));
        for (ClusterInfo clusterInfo : list) {
            if (!$assertionsDisabled && ClusterInfoUtil.isRedacted(clusterInfo)) {
                throw new AssertionError();
            }
        }
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(parallel = true)
    public static Object[][] clusterRolesOnMdsReadAllAbility() {
        return new Object[]{new Object[]{"SystemAdmin", ReadLevel.FULL_ACCESS}, new Object[]{"ClusterAdmin", ReadLevel.NO_ACCESS}, new Object[]{"Operator", ReadLevel.NO_ACCESS}, new Object[]{"SecurityAdmin", ReadLevel.NO_ACCESS}, new Object[]{"UserAdmin", ReadLevel.NO_ACCESS}};
    }

    @Test(dataProvider = "clusterRolesOnMdsReadAllAbility")
    public void otherMdsAdmins_ReadTest(String str, ReadLevel readLevel) throws Throwable {
        String str2 = "mdsAdminUser-" + TestIndependenceUtil.getUniqueInteger();
        this.ldapCrud.createUser(str2);
        RoleCrudUtil.assignClusterRole(this.brokerSuperUserClient, new MdsScope(Scope.kafkaClusterScope(this.rbacClusters.metadataClusterId())), str2, str);
        HashSet hashSet = new HashSet(StubApplicationUtil.TEST_DEFAULT_CLUSTER_REGISTRY_CLUSTERS.values());
        switch (readLevel) {
            case FULL_ACCESS:
                validateClusterRegistry(hashSet, Collections.EMPTY_SET, str2);
                return;
            case REDACTED_ACCESS:
                validateClusterRegistry(Collections.EMPTY_SET, hashSet, str2);
                return;
            default:
                validateClusterRegistry(Collections.EMPTY_SET, Collections.EMPTY_SET, str2);
                return;
        }
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(parallel = true)
    public static Object[][] clusterRolesOnOtherClustersCanSeeOnlyThose() {
        return new Object[]{new Object[]{"SystemAdmin", ReadLevel.FULL_ACCESS}, new Object[]{"ClusterAdmin", ReadLevel.FULL_ACCESS}, new Object[]{"Operator", ReadLevel.FULL_ACCESS}, new Object[]{"UserAdmin", ReadLevel.REDACTED_ACCESS}, new Object[]{"SecurityAdmin", ReadLevel.REDACTED_ACCESS}};
    }

    @Test(dataProvider = "clusterRolesOnOtherClustersCanSeeOnlyThose")
    public void testUserClusterRoleVisibility(String str, ReadLevel readLevel) throws IOException {
        String str2 = "testUser-" + TestIndependenceUtil.getUniqueInteger();
        this.ldapCrud.createUser(str2);
        ClusterInfo clusterInfo = StubApplicationUtil.TEST_DEFAULT_CLUSTER_REGISTRY_CLUSTERS.get(ClusterType.CONNECT_CLUSTER);
        RoleCrudUtil.assignClusterRole(this.brokerSuperUserClient, new MdsScope(clusterInfo.getScope()), str2, str);
        switch (readLevel) {
            case FULL_ACCESS:
                validateClusterRegistry(Collections.singleton(clusterInfo), Collections.EMPTY_SET, str2);
                return;
            case REDACTED_ACCESS:
                validateClusterRegistry(Collections.EMPTY_SET, Collections.singleton(clusterInfo), str2);
                return;
            default:
                validateClusterRegistry(Collections.EMPTY_SET, Collections.EMPTY_SET, str2);
                return;
        }
    }

    @Test(dataProvider = "clusterRolesOnOtherClustersCanSeeOnlyThose")
    public void testGroupClusterRoleVisibility(String str, ReadLevel readLevel) throws IOException {
        String str2 = "testUser-" + TestIndependenceUtil.getUniqueInteger();
        this.ldapCrud.createUser(str2);
        String str3 = "testGroup-" + TestIndependenceUtil.getUniqueInteger();
        this.ldapCrud.createGroup(str3);
        this.ldapCrud.addUserToGroup(str2, str3);
        ClusterInfo clusterInfo = StubApplicationUtil.TEST_DEFAULT_CLUSTER_REGISTRY_CLUSTERS.get(ClusterType.KAFKA_CLUSTER);
        RoleCrudUtil.assignClusterRole(this.brokerSuperUserClient, new MdsScope(clusterInfo.getScope()), "Group:" + str3, str);
        switch (readLevel) {
            case FULL_ACCESS:
                validateClusterRegistry(Collections.singleton(clusterInfo), Collections.EMPTY_SET, str2);
                return;
            case REDACTED_ACCESS:
                validateClusterRegistry(Collections.EMPTY_SET, Collections.singleton(clusterInfo), str2);
                return;
            default:
                validateClusterRegistry(Collections.EMPTY_SET, Collections.EMPTY_SET, str2);
                return;
        }
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(parallel = true)
    public static Object[][] resourceRoles() {
        return new Object[]{new Object[]{"ResourceOwner", ReadLevel.REDACTED_ACCESS}, new Object[]{"DeveloperRead", ReadLevel.REDACTED_ACCESS}, new Object[]{"DeveloperWrite", ReadLevel.REDACTED_ACCESS}, new Object[]{"DeveloperManage", ReadLevel.REDACTED_ACCESS}};
    }

    @Test(dataProvider = "resourceRoles")
    public void testUserResourceRoleVisibility(String str, ReadLevel readLevel) throws IOException {
        String str2 = "testUser-" + TestIndependenceUtil.getUniqueInteger();
        this.ldapCrud.createUser(str2);
        ClusterInfo clusterInfo = StubApplicationUtil.TEST_DEFAULT_CLUSTER_REGISTRY_CLUSTERS.get(ClusterType.KAFKA_CLUSTER);
        RoleCrudUtil.assignResourceRole(this.brokerSuperUserClient, new MdsScope(clusterInfo.getScope()), str2, str, RoleCrudUtil.newSingletonResource("Topic", "t1", PatternType.LITERAL));
        switch (readLevel) {
            case FULL_ACCESS:
                validateClusterRegistry(Collections.singleton(clusterInfo), Collections.EMPTY_SET, str2);
                return;
            case REDACTED_ACCESS:
                validateClusterRegistry(Collections.EMPTY_SET, Collections.singleton(clusterInfo), str2);
                return;
            default:
                validateClusterRegistry(Collections.EMPTY_SET, Collections.EMPTY_SET, str2);
                return;
        }
    }

    @Test(dataProvider = "resourceRoles")
    public void testGroupResourceRoleVisibility(String str, ReadLevel readLevel) throws IOException {
        String str2 = "testUser-" + TestIndependenceUtil.getUniqueInteger();
        this.ldapCrud.createUser(str2);
        String str3 = "testGroup-" + TestIndependenceUtil.getUniqueInteger();
        this.ldapCrud.createGroup(str3);
        this.ldapCrud.addUserToGroup(str2, str3);
        ClusterInfo clusterInfo = StubApplicationUtil.TEST_DEFAULT_CLUSTER_REGISTRY_CLUSTERS.get(ClusterType.KAFKA_CLUSTER);
        RoleCrudUtil.assignResourceRole(this.brokerSuperUserClient, new MdsScope(clusterInfo.getScope()), "Group:" + str3, str, RoleCrudUtil.newSingletonResource("Topic", "t2", PatternType.LITERAL));
        switch (readLevel) {
            case FULL_ACCESS:
                validateClusterRegistry(Collections.singleton(clusterInfo), Collections.EMPTY_SET, str2);
                return;
            case REDACTED_ACCESS:
                validateClusterRegistry(Collections.EMPTY_SET, Collections.singleton(clusterInfo), str2);
                return;
            default:
                validateClusterRegistry(Collections.EMPTY_SET, Collections.EMPTY_SET, str2);
                return;
        }
    }

    @Test
    public void testUserWithMixedRolesOnDifferentClusters() throws IOException {
        String str = "testUser-" + TestIndependenceUtil.getUniqueInteger();
        this.ldapCrud.createUser(str);
        ClusterInfo clusterInfo = StubApplicationUtil.TEST_DEFAULT_CLUSTER_REGISTRY_CLUSTERS.get(ClusterType.KAFKA_CLUSTER);
        MdsScope mdsScope = new MdsScope(clusterInfo.getScope());
        ClusterInfo clusterInfo2 = StubApplicationUtil.TEST_DEFAULT_CLUSTER_REGISTRY_CLUSTERS.get(ClusterType.CONNECT_CLUSTER);
        MdsScope mdsScope2 = new MdsScope(clusterInfo2.getScope());
        RoleCrudUtil.assignResourceRole(this.brokerSuperUserClient, mdsScope, str, "DeveloperRead", RoleCrudUtil.newSingletonResource("Topic", "t1", PatternType.LITERAL));
        RoleCrudUtil.assignClusterRole(this.brokerSuperUserClient, mdsScope2, str, "SystemAdmin");
        validateClusterRegistry(Collections.singleton(clusterInfo2), Collections.singleton(clusterInfo), str);
    }

    @Test
    public void testUserWithMixedRolesOnSameCluster() throws IOException {
        String str = "testUser-" + TestIndependenceUtil.getUniqueInteger();
        this.ldapCrud.createUser(str);
        ClusterInfo clusterInfo = StubApplicationUtil.TEST_DEFAULT_CLUSTER_REGISTRY_CLUSTERS.get(ClusterType.KAFKA_CLUSTER);
        MdsScope mdsScope = new MdsScope(clusterInfo.getScope());
        RoleCrudUtil.assignResourceRole(this.brokerSuperUserClient, mdsScope, str, "DeveloperRead", RoleCrudUtil.newSingletonResource("Topic", "t1", PatternType.LITERAL));
        RoleCrudUtil.assignClusterRole(this.brokerSuperUserClient, mdsScope, str, "SystemAdmin");
        validateClusterRegistry(Collections.singleton(clusterInfo), Collections.EMPTY_SET, str);
    }

    @Test
    public void testSortedFullClustersFollowedByRedactedFullClusters() throws IOException {
        String str = "testUser-" + TestIndependenceUtil.getUniqueInteger();
        this.ldapCrud.createUser(str);
        List asList = Arrays.asList(StubApplicationUtil.TEST_DEFAULT_CLUSTER_REGISTRY_CLUSTERS.get(ClusterType.KAFKA_CLUSTER), StubApplicationUtil.TEST_DEFAULT_CLUSTER_REGISTRY_CLUSTERS.get(ClusterType.SCHEMA_REGISTRY_CLUSTER));
        List asList2 = Arrays.asList(StubApplicationUtil.TEST_DEFAULT_CLUSTER_REGISTRY_CLUSTERS.get(ClusterType.CONNECT_CLUSTER), StubApplicationUtil.TEST_DEFAULT_CLUSTER_REGISTRY_CLUSTERS.get(ClusterType.KSQL_CLUSTER));
        Iterator it = asList.iterator();
        while (it.hasNext()) {
            RoleCrudUtil.assignClusterRole(this.brokerSuperUserClient, new MdsScope(((ClusterInfo) it.next()).getScope()), str, "SystemAdmin");
        }
        Iterator it2 = asList2.iterator();
        while (it2.hasNext()) {
            RoleCrudUtil.assignClusterRole(this.brokerSuperUserClient, new MdsScope(((ClusterInfo) it2.next()).getScope()), str, "SecurityAdmin");
        }
        validateClusterRegistry(new HashSet(asList), new HashSet(asList2), str);
        ClusterRegistryReconfigureTest.verifyOrderAndCountOfVisibleClusters(V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str), 4);
    }

    @Test
    public void userWithNoRolesOnCRClustersSeesNothing() throws IOException {
        String str = "testUser-" + TestIndependenceUtil.getUniqueInteger();
        this.ldapCrud.createUser(str);
        RoleCrudUtil.assignClusterRole(this.brokerSuperUserClient, ScopeBuilder.withKafka("unknown").build(), str, "SystemAdmin");
        V1RbacRestApi build = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str);
        Response execute = build.getRoleNames().execute();
        Assert.assertEquals(200, execute.code());
        List list = (List) execute.body();
        Assert.assertNotNull(list);
        Assert.assertTrue(list.size() > 3);
        List list2 = (List) build.getClusters().execute().body();
        MatcherAssert.assertThat(list2, CoreMatchers.notNullValue());
        MatcherAssert.assertThat(Integer.valueOf(list2.size()), CoreMatchers.is(0));
    }

    @Test
    public void noRoleUserSeesNothing() throws IOException {
        String str = "userWithNoRoles-" + TestIndependenceUtil.getUniqueInteger();
        this.ldapCrud.createUser(str);
        V1RbacRestApi build = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str);
        Response execute = build.getRoleNames().execute();
        Assert.assertEquals(200, execute.code());
        List list = (List) execute.body();
        Assert.assertNotNull(list);
        Assert.assertTrue(list.size() > 3);
        List list2 = (List) build.getClusters().execute().body();
        MatcherAssert.assertThat(list2, CoreMatchers.notNullValue());
        MatcherAssert.assertThat(Integer.valueOf(list2.size()), CoreMatchers.is(0));
    }

    private void validateClusterRegistry(Set<ClusterInfo> set, Set<ClusterInfo> set2, String str) {
        V1RbacRestApi build = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str);
        Sets.SetView union = Sets.union(set, (Set) set2.stream().map(clusterInfo -> {
            return clusterInfo.redact();
        }).collect(Collectors.toSet()));
        Awaitility.await().atMost(5L, TimeUnit.SECONDS).untilAsserted(() -> {
            List list = (List) build.getClusters().execute().body();
            MatcherAssert.assertThat(list, CoreMatchers.notNullValue());
            MatcherAssert.assertThat(new HashSet(list), CoreMatchers.is(union));
        });
    }

    static {
        $assertionsDisabled = !ClusterRegistryVisibilityTest.class.desiredAssertionStatus();
    }
}
