package integration.rbacapi.kafka;

import io.confluent.security.test.utils.RbacClusters;
import io.confluent.testing.ldap.client.ExampleComLdapCrud;
import io.confluent.testing.ldap.server.LdapServer;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.concurrent.ExecutionException;
import org.apache.kafka.clients.admin.AdminClient;
import org.apache.kafka.common.acl.AccessControlEntry;
import org.apache.kafka.common.acl.AccessControlEntryFilter;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.acl.AclPermissionType;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.common.resource.ResourcePatternFilter;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.test.TestUtils;
import org.junit.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;

@Test(groups = {"classParallelTests"})
/* loaded from: input_file:integration/rbacapi/kafka/AclClientEndToEndTest.class */
public class AclClientEndToEndTest {
    private static final String BROKER_USER = "kafka";
    private static final String USER_ADMIN = "user-admin";
    private static final String USER_ADMIN_PASSWORD = "user-admin-password";
    private static final String CLUSTER_ADMIN = "clusterAdmin";
    private static final String DEVELOPER1 = "app1-developer";
    private static final String DEVELOPER2 = "app2-developer";
    private static final String RESOURCE_OWNER = "resourceOwner";
    private static final String APP1_TOPIC = "app1-topic";
    private static final String APP1_CONSUMER_GROUP = "app1-consumer-group";
    private static final String APP2_TOPIC = "app2-topic";
    private static final String APP2_CONSUMER_GROUP = "app2-consumer-group";
    private static LdapServer ldapServer;
    private static RbacClusters rbacClusters;
    private static int actualMdsPort;

    @BeforeClass
    public static void setUp() throws Throwable {
        ldapServer = LdapServer.defaultServerNoUsers().start();
        int actualPort = ldapServer.actualPort();
        new ExampleComLdapCrud(actualPort).createUser(USER_ADMIN, USER_ADMIN_PASSWORD);
        RbacClusters.Config withManagedCluster = KafkaConfigTool.justLDAPv1(actualPort, "kafka", (List<String>) Arrays.asList(DEVELOPER1, DEVELOPER2, RESOURCE_OWNER, CLUSTER_ADMIN)).withManagedCluster(true);
        withManagedCluster.overrideMetadataBrokerConfig("confluent.authorizer.access.rule.providers", "CONFLUENT");
        withManagedCluster.overrideBrokerConfig("confluent.authorizer.access.rule.providers", "CONFLUENT");
        rbacClusters = new RbacClusters(withManagedCluster);
        actualMdsPort = MdsTestUtil.lookupActualMdsPort(rbacClusters);
        String kafkaClusterId = rbacClusters.kafkaClusterId();
        rbacClusters.kafkaCluster.createTopic(APP1_TOPIC, 2, 1);
        rbacClusters.kafkaCluster.createTopic(APP2_TOPIC, 2, 1);
        rbacClusters.assignRole("User", CLUSTER_ADMIN, "ClusterAdmin", kafkaClusterId, Collections.emptySet());
        rbacClusters.assignRole("User", USER_ADMIN, "UserAdmin", kafkaClusterId, Collections.emptySet());
    }

    @AfterClass
    public static void tearDown() {
        ldapServer.stop();
        rbacClusters.shutdown();
        MdsTestUtil.releasePort(actualMdsPort);
    }

    @Test
    public void testProduceConsumeWithCentralizedAcl() throws Throwable {
        createAcls();
        rbacClusters.produceConsume(DEVELOPER1, APP1_TOPIC, APP1_CONSUMER_GROUP, true);
        rbacClusters.produceConsume(DEVELOPER2, APP1_TOPIC, APP1_CONSUMER_GROUP, false);
        rbacClusters.produceConsume(DEVELOPER2, APP2_TOPIC, APP2_CONSUMER_GROUP, true);
        rbacClusters.produceConsume(RESOURCE_OWNER, APP1_TOPIC, APP1_CONSUMER_GROUP, true);
        rbacClusters.produceConsume(RESOURCE_OWNER, APP2_TOPIC, APP1_CONSUMER_GROUP, true);
    }

    private void createAcls() throws Exception {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", DEVELOPER1);
        KafkaPrincipal kafkaPrincipal2 = new KafkaPrincipal("User", DEVELOPER2);
        KafkaPrincipal kafkaPrincipal3 = new KafkaPrincipal("User", RESOURCE_OWNER);
        AdminClient buildAdminClient = rbacClusters.clientBuilder(CLUSTER_ADMIN).buildAdminClient();
        Throwable th = null;
        try {
            buildAdminClient.createAcls(Arrays.asList(new AclBinding(new ResourcePattern(ResourceType.TOPIC, APP1_TOPIC, PatternType.LITERAL), new AccessControlEntry(kafkaPrincipal.toString(), "*", AclOperation.READ, AclPermissionType.ALLOW)), new AclBinding(new ResourcePattern(ResourceType.GROUP, APP1_CONSUMER_GROUP, PatternType.LITERAL), new AccessControlEntry(kafkaPrincipal.toString(), "*", AclOperation.READ, AclPermissionType.ALLOW)), new AclBinding(new ResourcePattern(ResourceType.TOPIC, APP1_TOPIC, PatternType.LITERAL), new AccessControlEntry(kafkaPrincipal.toString(), "*", AclOperation.WRITE, AclPermissionType.ALLOW)))).all().get();
            buildAdminClient.createAcls(Arrays.asList(new AclBinding(new ResourcePattern(ResourceType.TOPIC, "app2", PatternType.PREFIXED), new AccessControlEntry(kafkaPrincipal2.toString(), "*", AclOperation.READ, AclPermissionType.ALLOW)), new AclBinding(new ResourcePattern(ResourceType.GROUP, "app2", PatternType.PREFIXED), new AccessControlEntry(kafkaPrincipal2.toString(), "*", AclOperation.READ, AclPermissionType.ALLOW)), new AclBinding(new ResourcePattern(ResourceType.TOPIC, "app2", PatternType.PREFIXED), new AccessControlEntry(kafkaPrincipal2.toString(), "*", AclOperation.WRITE, AclPermissionType.ALLOW)))).all().get();
            buildAdminClient.createAcls(Arrays.asList(new AclBinding(new ResourcePattern(ResourceType.TOPIC, "*", PatternType.LITERAL), new AccessControlEntry(kafkaPrincipal3.toString(), "*", AclOperation.ALL, AclPermissionType.ALLOW)), new AclBinding(new ResourcePattern(ResourceType.GROUP, "*", PatternType.LITERAL), new AccessControlEntry(kafkaPrincipal3.toString(), "*", AclOperation.ALL, AclPermissionType.ALLOW)))).all().get();
            if (buildAdminClient != null) {
                if (0 != 0) {
                    try {
                        buildAdminClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    buildAdminClient.close();
                }
            }
            rbacClusters.waitUntilAccessAllowed(DEVELOPER1, APP1_TOPIC);
            rbacClusters.waitUntilAccessAllowed(DEVELOPER2, APP2_TOPIC);
            rbacClusters.waitUntilAccessAllowed(RESOURCE_OWNER, APP1_TOPIC);
        } catch (Throwable th3) {
            if (buildAdminClient != null) {
                if (0 != 0) {
                    try {
                        buildAdminClient.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    buildAdminClient.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testAdminClientAclAPI() throws Throwable {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", DEVELOPER1);
        KafkaPrincipal kafkaPrincipal2 = new KafkaPrincipal("User", DEVELOPER2);
        KafkaPrincipal kafkaPrincipal3 = new KafkaPrincipal("User", RESOURCE_OWNER);
        AdminClient buildAdminClient = rbacClusters.clientBuilder(CLUSTER_ADMIN).buildAdminClient();
        Throwable th = null;
        try {
            try {
                buildAdminClient.deleteAcls(Collections.singletonList(AclBindingFilter.ANY)).all().get();
                TestUtils.waitForCondition(() -> {
                    try {
                        return ((Collection) buildAdminClient.describeAcls(AclBindingFilter.ANY).values().get()).isEmpty();
                    } catch (ExecutionException e) {
                        return false;
                    }
                }, "acls are not updated");
                AclBinding aclBinding = new AclBinding(new ResourcePattern(ResourceType.TOPIC, APP1_TOPIC, PatternType.LITERAL), new AccessControlEntry(kafkaPrincipal.toString(), "*", AclOperation.READ, AclPermissionType.ALLOW));
                AclBinding aclBinding2 = new AclBinding(new ResourcePattern(ResourceType.GROUP, APP1_CONSUMER_GROUP, PatternType.LITERAL), new AccessControlEntry(kafkaPrincipal.toString(), "*", AclOperation.READ, AclPermissionType.ALLOW));
                AclBinding aclBinding3 = new AclBinding(new ResourcePattern(ResourceType.TOPIC, APP1_TOPIC, PatternType.LITERAL), new AccessControlEntry(kafkaPrincipal.toString(), "*", AclOperation.WRITE, AclPermissionType.ALLOW));
                buildAdminClient.createAcls(Arrays.asList(aclBinding, aclBinding2, aclBinding3)).all().get();
                AclBindingFilter aclBindingFilter = new AclBindingFilter(ResourcePatternFilter.ANY, new AccessControlEntryFilter(kafkaPrincipal.toString(), "*", AclOperation.ANY, AclPermissionType.ANY));
                HashSet hashSet = new HashSet();
                hashSet.add(aclBinding);
                hashSet.add(aclBinding2);
                hashSet.add(aclBinding3);
                TestUtils.waitForCondition(() -> {
                    try {
                        return hashSet.equals(new HashSet((Collection) buildAdminClient.describeAcls(aclBindingFilter).values().get()));
                    } catch (ExecutionException e) {
                        return false;
                    }
                }, "acls are not updated");
                AclBinding aclBinding4 = new AclBinding(new ResourcePattern(ResourceType.TOPIC, "app2", PatternType.PREFIXED), new AccessControlEntry(kafkaPrincipal2.toString(), "*", AclOperation.READ, AclPermissionType.ALLOW));
                AclBinding aclBinding5 = new AclBinding(new ResourcePattern(ResourceType.GROUP, "app2", PatternType.PREFIXED), new AccessControlEntry(kafkaPrincipal2.toString(), "*", AclOperation.READ, AclPermissionType.ALLOW));
                AclBinding aclBinding6 = new AclBinding(new ResourcePattern(ResourceType.TOPIC, "app2", PatternType.PREFIXED), new AccessControlEntry(kafkaPrincipal2.toString(), "*", AclOperation.WRITE, AclPermissionType.ALLOW));
                buildAdminClient.createAcls(Arrays.asList(aclBinding4, aclBinding5, aclBinding6)).all().get();
                AclBindingFilter aclBindingFilter2 = new AclBindingFilter(ResourcePatternFilter.ANY, new AccessControlEntryFilter(kafkaPrincipal2.toString(), "*", AclOperation.ANY, AclPermissionType.ANY));
                HashSet hashSet2 = new HashSet();
                hashSet2.add(aclBinding4);
                hashSet2.add(aclBinding5);
                hashSet2.add(aclBinding6);
                TestUtils.waitForCondition(() -> {
                    try {
                        return hashSet2.equals(new HashSet((Collection) buildAdminClient.describeAcls(aclBindingFilter2).values().get()));
                    } catch (ExecutionException e) {
                        return false;
                    }
                }, "acls are not updated");
                AclBinding aclBinding7 = new AclBinding(new ResourcePattern(ResourceType.TOPIC, "*", PatternType.LITERAL), new AccessControlEntry(kafkaPrincipal3.toString(), "*", AclOperation.ALL, AclPermissionType.ALLOW));
                AclBinding aclBinding8 = new AclBinding(new ResourcePattern(ResourceType.GROUP, "*", PatternType.LITERAL), new AccessControlEntry(kafkaPrincipal3.toString(), "*", AclOperation.ALL, AclPermissionType.ALLOW));
                buildAdminClient.createAcls(Arrays.asList(aclBinding7, aclBinding8)).all().get();
                AclBindingFilter aclBindingFilter3 = new AclBindingFilter(ResourcePatternFilter.ANY, new AccessControlEntryFilter(kafkaPrincipal3.toString(), "*", AclOperation.ANY, AclPermissionType.ANY));
                HashSet hashSet3 = new HashSet();
                hashSet3.add(aclBinding7);
                hashSet3.add(aclBinding8);
                TestUtils.waitForCondition(() -> {
                    try {
                        return hashSet3.equals(new HashSet((Collection) buildAdminClient.describeAcls(aclBindingFilter3).values().get()));
                    } catch (ExecutionException e) {
                        return false;
                    }
                }, "acls are not updated");
                Collection collection = (Collection) buildAdminClient.describeAcls(AclBindingFilter.ANY).values().get();
                HashSet hashSet4 = new HashSet();
                hashSet4.addAll(hashSet);
                hashSet4.addAll(hashSet2);
                hashSet4.addAll(hashSet3);
                Assert.assertEquals(hashSet4, new HashSet(collection));
                Assert.assertEquals(hashSet, new HashSet((Collection) buildAdminClient.deleteAcls(Collections.singletonList(aclBindingFilter)).all().get()));
                HashSet hashSet5 = new HashSet();
                hashSet5.addAll(hashSet2);
                hashSet5.addAll(hashSet3);
                TestUtils.waitForCondition(() -> {
                    try {
                        return hashSet5.equals(new HashSet((Collection) buildAdminClient.describeAcls(AclBindingFilter.ANY).values().get()));
                    } catch (ExecutionException e) {
                        return false;
                    }
                }, "acls are not updated");
                Collection collection2 = (Collection) buildAdminClient.deleteAcls(Collections.singletonList(AclBindingFilter.ANY)).all().get();
                HashSet hashSet6 = new HashSet();
                hashSet6.addAll(hashSet2);
                hashSet6.addAll(hashSet3);
                Assert.assertEquals(hashSet6, new HashSet(collection2));
                TestUtils.waitForCondition(() -> {
                    try {
                        return ((Collection) buildAdminClient.describeAcls(AclBindingFilter.ANY).values().get()).isEmpty();
                    } catch (ExecutionException e) {
                        return false;
                    }
                }, "acls are not updated");
                if (buildAdminClient != null) {
                    if (0 == 0) {
                        buildAdminClient.close();
                        return;
                    }
                    try {
                        buildAdminClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (buildAdminClient != null) {
                if (th != null) {
                    try {
                        buildAdminClient.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    buildAdminClient.close();
                }
            }
            throw th4;
        }
    }
}
