package integration.rbacapi.kafka;

import integration.rbacapi.fixtures.timeouts.TimeoutMetadataServerProvider;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.auth.client.rest.RestClient;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.testing.ldap.client.ExampleComLdapCrud;
import io.confluent.testing.ldap.server.LdapServer;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.junit.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;
import utils.SslConfigs;

@Test(groups = {"classParallelTests"})
/* loaded from: input_file:integration/rbacapi/kafka/HttpsRestClientIntegrationTest.class */
public class HttpsRestClientIntegrationTest {
    private static final String BROKER_USER = "kafka";
    private static final String APP1_TOPIC = "app1-topic";
    private static String clusterId;
    private static RbacClusters rbacClusters;
    private static LdapServer ldapServer;
    private static SslConfigs sslConfigs;
    private static int actualMdsPort;

    @BeforeClass
    public static void setUp() throws Throwable {
        String acquirePort = MdsTestUtil.acquirePort(8090);
        ldapServer = LdapServer.defaultServerNoUsers().start();
        int actualPort = ldapServer.actualPort();
        new ExampleComLdapCrud(actualPort).createUsers(new String[]{"kafka"});
        RbacClusters.Config justLDAPv1 = KafkaConfigTool.justLDAPv1(actualPort, "kafka");
        justLDAPv1.overrideMetadataBrokerConfig("super.users", "User:ANONYMOUS;User:kafka").overrideMetadataBrokerConfig("confluent.metadata.server.authentication.method", "NONE").overrideMetadataBrokerConfig("confluent.metadata.server.listeners", "https://0.0.0.0:" + acquirePort).overrideMetadataBrokerConfig("confluent.metadata.server.advertised.listeners", "https://localhost:" + acquirePort);
        sslConfigs = new SslConfigs();
        sslConfigs.serverConfigs().forEach((str, str2) -> {
            justLDAPv1.overrideMetadataBrokerConfig(TimeoutMetadataServerProvider.CONFIG_PREFIX + str, str2);
        });
        KafkaConfigTool.applyFastAuditLogShutdownConfig(justLDAPv1);
        rbacClusters = new RbacClusters(justLDAPv1);
        actualMdsPort = MdsTestUtil.lookupActualMdsPort(rbacClusters);
        clusterId = rbacClusters.metadataClusterId();
    }

    @AfterClass
    public static void tearDown() {
        try {
            ldapServer.stop();
            rbacClusters.shutdown();
            MdsTestUtil.releasePort(actualMdsPort);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    @Test
    public void testAuthorizationWithHostNameVerificationDisabled() throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("confluent.metadata.bootstrap.server.urls", "https://127.0.0.1:" + actualMdsPort);
        hashMap.putAll(sslConfigs.clientConfigs());
        sslConfigs.clientConfigs().forEach((str, str2) -> {
            hashMap.put("confluent.metadata." + str, str2);
        });
        hashMap.put("confluent.metadata.ssl.endpoint.identification.algorithm", "");
        RestAuthorizer restAuthorizer = new RestAuthorizer(new RestClient(hashMap));
        Throwable th = null;
        try {
            try {
                verifyAuthorizeCall(restAuthorizer, userPrincipal("ANONYMOUS"), new Action(Scope.kafkaClusterScope(clusterId), new ResourceType("Topic"), APP1_TOPIC, new Operation("Write")), false);
                if (restAuthorizer != null) {
                    if (0 == 0) {
                        restAuthorizer.close();
                        return;
                    }
                    try {
                        restAuthorizer.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (restAuthorizer != null) {
                if (th != null) {
                    try {
                        restAuthorizer.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    restAuthorizer.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testAuthorizationWithSslIdentificationAlgorithmHttps() throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("confluent.metadata.bootstrap.server.urls", "https://localhost:" + actualMdsPort);
        hashMap.putAll(sslConfigs.clientConfigs());
        sslConfigs.clientConfigs().forEach((str, str2) -> {
            hashMap.put("confluent.metadata." + str, str2);
        });
        hashMap.put("confluent.metadata.ssl.endpoint.identification.algorithm", "https");
        RestAuthorizer restAuthorizer = new RestAuthorizer(new RestClient(hashMap));
        Throwable th = null;
        try {
            try {
                verifyAuthorizeCall(restAuthorizer, userPrincipal("ANONYMOUS"), new Action(Scope.kafkaClusterScope(clusterId), new ResourceType("Topic"), APP1_TOPIC, new Operation("Write")), false);
                if (restAuthorizer != null) {
                    if (0 == 0) {
                        restAuthorizer.close();
                        return;
                    }
                    try {
                        restAuthorizer.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (restAuthorizer != null) {
                if (th != null) {
                    try {
                        restAuthorizer.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    restAuthorizer.close();
                }
            }
            throw th4;
        }
    }

    private KafkaPrincipal userPrincipal(String str) {
        return new KafkaPrincipal("User", str);
    }

    private void verifyAuthorizeCall(RestAuthorizer restAuthorizer, KafkaPrincipal kafkaPrincipal, Action action, boolean z) {
        List authorize = restAuthorizer.authorize(kafkaPrincipal, "", Collections.singletonList(action));
        Assert.assertTrue(authorize.size() == 1);
        Assert.assertEquals(Boolean.valueOf(z), Boolean.valueOf(authorize.get(0) == AuthorizeResult.ALLOWED));
    }
}
