package integration.rbacapi.configuration;

import integration.rbacapi.kafka.MdsKafkaTokenIntegrationTest;
import io.confluent.kafka.clients.plugins.auth.token.TokenBearerLoginCallbackHandler;
import io.confluent.rbacapi.retrofit.v1.V1RbacRetrofitFactory;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.auth.client.provider.BuiltInAuthProviders;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.tokenapi.entities.AuthenticationResponse;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Properties;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.serialization.StringSerializer;
import org.testng.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;

@Test(groups = {"tokenTests"})
/* loaded from: input_file:integration/rbacapi/configuration/HashLoginIntegrationTest.class */
public class HashLoginIntegrationTest {
    private static final String BROKER_USER = "kafka";
    private static final String TEST_USER = "testHashUser";
    private RbacClusters rbacClusters;
    private int actualMdsPort;
    private int mdsTestPort = MdsTestUtil.getUniqueishMdsPort();
    private final KafkaPrincipal clientPrincipal = new KafkaPrincipal("User", TEST_USER);

    @BeforeClass
    public void setUp() throws Exception {
        this.rbacClusters = new RbacClusters(KafkaConfigTool.hashWithTokens("kafka", Arrays.asList("kafka", TEST_USER), this.mdsTestPort));
        this.actualMdsPort = MdsTestUtil.lookupActualMdsPort(this.rbacClusters);
        this.rbacClusters.assignRole("User", TEST_USER, "ResourceOwner", this.rbacClusters.kafkaClusterId(), Collections.singleton(new ResourcePattern("Topic", "TestTopic", PatternType.LITERAL)));
    }

    @AfterClass
    public void tearDown() {
        this.rbacClusters.shutdown();
        MdsTestUtil.releasePort(this.actualMdsPort);
    }

    @Test
    public void testRestAuthorizer_HappyAuthentication() throws Exception {
        verifyRestAuthorizerAuthentication(TEST_USER);
    }

    @Test(expectedExceptions = {RuntimeException.class})
    public void testRestAuthorizer_InvalidAuthentication() throws Exception {
        verifyRestAuthorizerAuthentication("invalid");
    }

    @Test
    public void testTokensWithKafka() throws Exception {
        String authenticationToken = ((AuthenticationResponse) V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, TEST_USER, TEST_USER).issueToken().execute().body()).authenticationToken();
        Properties properties = new Properties();
        properties.setProperty("bootstrap.servers", this.rbacClusters.kafkaCluster.bootstrapServers("TOKEN"));
        properties.setProperty("security.protocol", "SASL_PLAINTEXT");
        properties.setProperty("sasl.mechanism", "OAUTHBEARER");
        properties.setProperty("key.serializer", StringSerializer.class.getName());
        properties.setProperty("value.serializer", StringSerializer.class.getName());
        properties.setProperty("sasl.jaas.config", "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required  authenticationToken=\"" + authenticationToken + "\" metadataServerUrls=\"" + MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + this.actualMdsPort + "\";");
        properties.setProperty("sasl.login.callback.handler.class", TokenBearerLoginCallbackHandler.class.getName());
        MdsKafkaTokenIntegrationTest.verifyProduce(properties, "TestTopic");
    }

    private void verifyRestAuthorizerAuthentication(String str) throws Exception {
        RestAuthorizer createRestAuthorizer = createRestAuthorizer(str);
        Throwable th = null;
        try {
            try {
                List authorize = createRestAuthorizer.authorize(this.clientPrincipal, "", Arrays.asList(new Action(Scope.kafkaClusterScope(this.rbacClusters.kafkaClusterId()), new ResourceType("Topic"), "TestTopic", new Operation("Write")), new Action(Scope.kafkaClusterScope(this.rbacClusters.kafkaClusterId()), new ResourceType("Topic"), "SensitiveTopic", new Operation("Write"))));
                Assert.assertEquals(2, authorize.size());
                Assert.assertEquals(AuthorizeResult.ALLOWED, authorize.get(0));
                Assert.assertEquals(AuthorizeResult.DENIED, authorize.get(1));
                if (createRestAuthorizer != null) {
                    if (0 == 0) {
                        createRestAuthorizer.close();
                        return;
                    }
                    try {
                        createRestAuthorizer.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (createRestAuthorizer != null) {
                if (th != null) {
                    try {
                        createRestAuthorizer.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    createRestAuthorizer.close();
                }
            }
            throw th4;
        }
    }

    private RestAuthorizer createRestAuthorizer(String str) {
        HashMap hashMap = new HashMap();
        hashMap.put("confluent.metadata.bootstrap.server.urls", MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + this.actualMdsPort);
        hashMap.put("confluent.metadata.http.auth.credentials.provider", BuiltInAuthProviders.HttpCredentialProviders.BASIC.name());
        hashMap.put("confluent.metadata.basic.auth.user.info", String.format("%s:%s", TEST_USER, str));
        hashMap.put("confluent.metadata.basic.auth.credentials.provider", BuiltInAuthProviders.BasicAuthCredentialProviders.USER_INFO.name());
        RestAuthorizer restAuthorizer = new RestAuthorizer();
        restAuthorizer.configure(hashMap);
        return restAuthorizer;
    }
}
