package cloud.coop;

import io.confluent.crn.CrnSyntaxException;
import io.confluent.rbacapi.entities.V2ListRoleBindingResponse;
import io.confluent.rbacapi.entities.V2RoleBinding;
import io.confluent.rbacapi.entities.V2SingleRoleBindingResponse;
import io.confluent.rbacapi.retrofit.v2.V2CloudRbacRoleBindingRestApi;
import io.confluent.rbacapi.retrofit.v2.V2CloudRbacRoleBindingRestRetrofitFactory;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.Scope;
import io.confluent.testing.TestIndependenceUtil;
import java.io.IOException;
import java.time.format.DateTimeFormatter;
import okhttp3.Credentials;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import org.apache.kafka.common.resource.PatternType;
import org.testng.Assert;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
import parity.coop.ParitySuite;
import retrofit2.Response;
import utils.MdsTestUtil;
import utils.RoleCrudUtil;

@Test
/* loaded from: input_file:cloud/coop/V2CloudRbacRoleBindingTest.class */
public class V2CloudRbacRoleBindingTest extends V2CloudRbacRoleBindingTestBase {
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider
    public Object[][] validRoleBindings() {
        return new Object[]{new Object[]{"u-org1", "OrganizationAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID}, new Object[]{"u-env", "EnvironmentAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d"}, new Object[]{"u-cluster", "CloudClusterAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123"}, new Object[]{"u-kafka", "ResourceOwner", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123"}, new Object[]{"u-topic", "DeveloperRead", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/topic=topic1"}, new Object[]{"u-topic", "DeveloperWrite", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/topic=topic1"}, new Object[]{"u-topic", "DeveloperManage", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/topic=topic1"}, new Object[]{"u-topic", "DeveloperRead", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123"}, new Object[]{"u-topic", "DeveloperWrite", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123"}, new Object[]{"u-topic", "DeveloperManage", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123"}, new Object[]{"u-group", "DeveloperRead", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/group=group1"}, new Object[]{"u-topic-wildcard", "DeveloperRead", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/topic=*"}, new Object[]{"u-group-wildcard", "DeveloperRead", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/group=*"}, new Object[]{"u-topic-prefix", "DeveloperRead", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/topic=foo*"}, new Object[]{"u-group-prefix", "DeveloperRead", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/group=bar*"}};
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider
    public Object[][] invalidRoleBindings() {
        return new Object[]{new Object[]{"Org role env scope", "u-org1", "OrganizationAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d"}, new Object[]{"Org role c-c scope", "u-org1", "OrganizationAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123"}, new Object[]{"Org role kafka scope", "u-org1", "OrganizationAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123"}, new Object[]{"Org role topic scope", "u-org1", "OrganizationAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/topic=topic1"}, new Object[]{"Env role org scope", "u-env", "EnvironmentAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID}, new Object[]{"Env role c-c scope", "u-env", "EnvironmentAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123"}, new Object[]{"Env role kafka scope", "u-env", "EnvironmentAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123"}, new Object[]{"Env role topic scope", "u-env", "EnvironmentAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/topic=topic1"}, new Object[]{"C-C role org scope", "u-cluster", "CloudClusterAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID}, new Object[]{"C-C role env scope", "u-cluster", "CloudClusterAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d"}, new Object[]{"C-C role kafka scope", "u-cluster", "CloudClusterAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123"}, new Object[]{"C-C role topic scope", "u-cluster", "CloudClusterAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/topic=topic1"}, new Object[]{"kafka role org scope", "u-kafka", "ResourceOwner", "crn://confluent.cloud/organization=" + this.ORG_ID}, new Object[]{"kafka role env scope", "u-kafka", "ResourceOwner", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d"}, new Object[]{"kafka role c-c scope", "u-kafka", "ResourceOwner", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123"}, new Object[]{"topic role org scope", "u-topic", "DeveloperRead", "crn://confluent.cloud/organization=" + this.ORG_ID}, new Object[]{"topic role env scope", "u-topic", "DeveloperRead", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d"}, new Object[]{"topic role c-c scope", "u-topic", "DeveloperRead", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123"}, new Object[]{"wrong resource type", "u-kafka", "DeveloperWrite", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/group=group1"}, new Object[]{"root scope", "u-org1", "OrganizationAdmin", "crn://confluent.cloud"}, new Object[]{"missing /", "u-org2", "OrganizationAdmin", "crn:/confluent.cloud/organization=" + this.ORG_ID}, new Object[]{"not a crn", "u-org2", "OrganizationAdmin", "http://confluent.cloud/organization=" + this.ORG_ID}, new Object[]{"misspelled role", "u-kafka", "DevelopeRead", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123"}, new Object[]{"invalid scope 1", "u-kafka2", "DeveloperRead", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/cc=lkc-ef123"}, new Object[]{"invalid scope 2", "u-cluster", "CloudClusterAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID + "/cloud-cluster=lkc-ef123"}, new Object[]{"invalid scope 3", "u-cluster", "CloudClusterAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster="}, new Object[]{"invalid scope 4", "u-kafka2", "DeveloperRead", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka="}, new Object[]{"invalid resource pattern 1", "u-kafka2", "DeveloperRead", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/topic=top*ic1"}, new Object[]{"invalid resource type", "u-kafka2", "DeveloperRead", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/topc=topic1"}, new Object[]{"invalid scope resource type", "u-kafka2", "DeveloperRead", "crn://confluent.cloud/organization=" + this.ORG_ID + "/environment=env-d/cloud-cluster=lkc-ef123/ksql=lksqlc-ef123/topic=topic1"}};
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider
    public Object[][] cdxTests() {
        return new Object[]{new Object[]{"StreamShareRead", this.topicCrn, 200}, new Object[]{"StreamShareRead", this.groupCrn, 200}, new Object[]{"StreamShareRead", this.transactionCrn, 403}, new Object[]{"OrganizationAdmin", this.orgCrn, 403}};
    }

    @Test(dataProvider = "validRoleBindings")
    public void testCreateCloudRoleBinding(String str, String str2, String str3) throws Exception {
        checkCreateSuccessAtScopeLevel(this.ORG_ADMIN, "organization", str, str2, str3);
    }

    @Test(dataProvider = "invalidRoleBindings")
    public void testCreateInvalidCloudRoleBinding(String str, String str2, String str3, String str4) throws Exception {
        String kafkaPrincipalString = RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(str2));
        V2RoleBinding v2RoleBinding = new V2RoleBinding((String) null, kafkaPrincipalString, str3, str4);
        Response execute = this.orgAdminClient.createRoleBinding(v2RoleBinding).execute();
        Assert.assertFalse(execute.isSuccessful());
        int code = execute.code();
        try {
            Assert.assertEquals(code, Scope.ROOT_SCOPE.equals(authority.resolveScopePattern(authority.canonicalCrn(v2RoleBinding.getCrnPattern())).scope()) ? 403 : 400);
            Assert.assertFalse(principalHasRole(kafkaPrincipalString, str3, str4));
        } catch (CrnSyntaxException e) {
            Assert.assertEquals(code, 400);
        }
    }

    @Test
    public void testCreateCloudRoleBindingInvalidPrincipalType() throws Exception {
        String str = "crn://confluent.cloud/organization=" + this.ORG_ID;
        String str2 = "Luser:" + TestIndependenceUtil.uniquify("u-org1");
        Response execute = this.orgAdminClient.createRoleBinding(new V2RoleBinding((String) null, str2, "OrganizationAdmin", str)).execute();
        Assert.assertFalse(execute.isSuccessful());
        Assert.assertEquals(execute.code(), 400);
        Assert.assertFalse(principalHasRole(str2, "OrganizationAdmin", str));
    }

    @Test
    public void testInternalCloudRoleBindingDeniedForOrgAdmin() throws Exception {
        String kafkaPrincipalString = RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify("sa-org1"));
        V2RoleBinding v2RoleBinding = new V2RoleBinding((String) null, kafkaPrincipalString, "StreamShareRead", this.topicCrn);
        Response execute = this.orgAdminClient.createRoleBinding(v2RoleBinding).execute();
        Assert.assertFalse(execute.isSuccessful());
        Assert.assertEquals(execute.code(), 403);
        Assert.assertFalse(principalHasRoleBinding(kafkaPrincipalString, "StreamShareRead", this.topicCrn));
        Response execute2 = this.orgAdminClient.deleteRoleBinding(v2RoleBinding).execute();
        Assert.assertFalse(execute2.isSuccessful());
        Assert.assertEquals(execute2.code(), 403);
    }

    @Test(dataProvider = "cdxTests")
    public void testInternalCloudRoleBindingForServiceAdmin(String str, String str2, int i) throws Exception {
        String kafkaPrincipalString = RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify("sa-org1"));
        V2RoleBinding v2RoleBinding = new V2RoleBinding((String) null, kafkaPrincipalString, str, str2);
        V2CloudRbacRoleBindingRestApi build = V2CloudRbacRoleBindingRestRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, ParitySuite.U_CDX_SERVICE_ADMIN);
        Response execute = build.createRoleBinding(v2RoleBinding).execute();
        if (i >= 400) {
            Assert.assertFalse(execute.isSuccessful());
            Assert.assertEquals(execute.code(), i);
            Assert.assertFalse(principalHasRoleBinding(kafkaPrincipalString, str, str2));
        } else {
            Assert.assertTrue(execute.isSuccessful());
            Assert.assertTrue(principalHasRoleBinding(kafkaPrincipalString, str, str2));
        }
        Response execute2 = build.deleteRoleBinding(v2RoleBinding).execute();
        if (i < 400) {
            Assert.assertTrue(execute2.isSuccessful());
        } else {
            Assert.assertFalse(execute2.isSuccessful());
            Assert.assertEquals(execute2.code(), i);
        }
    }

    @Test
    public void testCreateCloudRoleBindingDoesntHaveDeleted() throws Exception {
        Request request = this.orgAdminClient.createRoleBinding(new V2RoleBinding((String) null, RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify("u-org1")), "OrganizationAdmin", "crn://confluent.cloud/organization=" + this.ORG_ID)).request();
        okhttp3.Response execute = new OkHttpClient().newCall(request.newBuilder().headers(request.headers().newBuilder().add("Authorization", Credentials.basic(this.ORG_ADMIN, this.ORG_ADMIN)).build()).build()).execute();
        Assert.assertTrue(execute.isSuccessful());
        Assert.assertEquals(execute.code(), 201);
        String string = execute.body().string();
        Assert.assertTrue(string.contains("\"created_at\""));
        Assert.assertFalse(string.contains("\"deleted_at\""));
    }

    private void checkCreateRoleBindingResponse(String str, String str2, String str3, String str4, boolean z) throws IOException, CrnSyntaxException {
        String kafkaPrincipalString = RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(str2));
        Response execute = V2CloudRbacRoleBindingRestRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str).createRoleBinding(new V2RoleBinding((String) null, kafkaPrincipalString, str3, str4)).execute();
        if (z) {
            Assert.assertTrue(execute.isSuccessful());
            Assert.assertEquals(execute.code(), 201);
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute.body()).getApiVersion(), "iam/v2");
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute.body()).getKind(), "RoleBinding");
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute.body()).principal, kafkaPrincipalString);
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute.body()).roleName, str3);
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute.body()).crnPattern, str4);
            Assert.assertTrue(((V2SingleRoleBindingResponse) execute.body()).id.startsWith("rb-"));
            DateTimeFormatter.ISO_OFFSET_DATE_TIME.parse(((V2SingleRoleBindingResponse) execute.body()).metadata.createdAt);
            String str5 = execute.raw().request().url() + "/" + ((V2SingleRoleBindingResponse) execute.body()).id;
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute.body()).metadata.self, str5);
            Assert.assertNull(((V2SingleRoleBindingResponse) execute.body()).metadata.deletedAt);
            Assert.assertEquals(execute.headers().get("Location"), str5);
            Assert.assertEquals(execute.headers().get("Content-Type"), "application/json");
        } else {
            Assert.assertEquals(execute.code(), 403);
        }
        Assert.assertEquals(principalHasRole(kafkaPrincipalString, str3, str4), z);
    }

    private int resultCodeForCreate(String str, String str2, String str3, String str4) throws Exception {
        return V2CloudRbacRoleBindingRestRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str).createRoleBinding(new V2RoleBinding((String) null, str2, str3, str4)).execute().code();
    }

    private boolean allowedAtScope(String str, String str2) throws CrnSyntaxException {
        return authority.resolveScopePattern(authority.canonicalCrn(str2)).scope().ancestorWithBindingScope(str) != null;
    }

    private boolean allowedOnResource(String str, PatternType patternType, String str2, String str3) throws CrnSyntaxException {
        ResourcePattern resourcePattern = authority.resolveScopePattern(authority.canonicalCrn(str3)).resourcePattern();
        if (resourcePattern == null || !str.equals(resourcePattern.resourceType().name())) {
            return false;
        }
        if (str.equals("Cluster")) {
            return true;
        }
        if (patternType.equals(PatternType.LITERAL) && str2.equals("*")) {
            return true;
        }
        return patternType.equals(PatternType.PREFIXED) ? resourcePattern.name().startsWith(str2) : resourcePattern.name().equals(str2);
    }

    private void checkCreateSuccessAtScopeLevel(String str, String str2, String str3, String str4, String str5) throws Exception {
        checkCreateRoleBindingResponse(str, str3, str4, str5, allowedAtScope(str2, str5));
    }

    private void checkCreateOverLimit(String str, String str2, String str3, String str4) throws Exception {
        String kafkaPrincipalString = RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(str2));
        Assert.assertEquals(resultCodeForCreate(str, kafkaPrincipalString, str3, str4), 402);
        Assert.assertEquals(principalHasRole(kafkaPrincipalString, str3, str4), false);
    }

    private void checkCreateSuccessOnResourceType(String str, String str2, PatternType patternType, String str3, String str4, String str5, String str6) throws Exception {
        checkCreateRoleBindingResponse(str, str4, str5, str6, allowedOnResource(str2, patternType, str3, str6));
    }

    @Test(dataProvider = "validRoleBindings")
    public void testCreateCloudRolePermissionsEnvAdmin(String str, String str2, String str3) throws Exception {
        checkCreateSuccessAtScopeLevel(this.ENV_ADMIN, "environment", str, str2, str3);
    }

    @Test(dataProvider = "validRoleBindings")
    public void testCreateCloudRolePermissionsCCAdmin(String str, String str2, String str3) throws Exception {
        checkCreateSuccessAtScopeLevel(this.C_C_ADMIN, "cloud-cluster", str, str2, str3);
    }

    @Test(dataProvider = "validRoleBindings")
    public void testCreateCloudRolePermissionsClusterOwner(String str, String str2, String str3) throws Exception {
        checkCreateSuccessOnResourceType(this.CLUSTER_OWNER, "Cluster", null, null, str, str2, str3);
    }

    @Test(dataProvider = "validRoleBindings")
    public void testCreateCloudRolePermissionsTopicOwner(String str, String str2, String str3) throws Exception {
        checkCreateSuccessOnResourceType(this.TOPIC_OWNER, "Topic", PatternType.LITERAL, this.topicCrn.substring(this.topicCrn.indexOf("topic=") + "topic=".length()), str, str2, str3);
    }

    @Test(dataProvider = "validRoleBindings")
    public void testCreateCloudRolePermissionsTopicWildcardOwner(String str, String str2, String str3) throws Exception {
        checkCreateSuccessOnResourceType(this.TOPIC_OWNER, "Topic", PatternType.LITERAL, this.topicCrn.substring(this.topicCrn.indexOf("topic=") + "topic=".length()), str, str2, str3);
    }

    @Test(dataProvider = "validRoleBindings")
    public void testCreateCloudRolePermissionsTopicPrefixOwner(String str, String str2, String str3) throws Exception {
        checkCreateSuccessOnResourceType(this.TOPIC_OWNER, "Topic", PatternType.PREFIXED, this.topicCrn.substring(this.topicCrn.indexOf("topic=") + "topic=".length()), str, str2, str3);
    }

    @Test(dataProvider = "validRoleBindings")
    public void testCreateCloudRolePermissionsDeveloper(String str, String str2, String str3) throws Exception {
        Assert.assertEquals(resultCodeForCreate(this.DEVELOPER, RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(str)), str2, str3), 403);
    }

    @Test(dataProvider = "validRoleBindings")
    public void testCreateCloudRolePermissionsNobody(String str, String str2, String str3) throws Exception {
        Assert.assertEquals(resultCodeForCreate(this.NOBODY, RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(str)), str2, str3), 403);
    }

    @Test(dataProvider = "validRoleBindings")
    public void testDeleteCloudRoleBinding(String str, String str2, String str3) throws Exception {
        checkDeleteSuccessAtScopeLevel(this.ORG_ADMIN, "organization", str, str2, str3);
    }

    @Test(dataProvider = "validRoleBindings")
    public void testDeleteValidCloudRoleBindingById(String str, String str2, String str3) throws Exception {
        checkDeleteSuccessAtScopeLevelById(this.ORG_ADMIN, "organization", str, str2, str3);
    }

    @Test(dataProvider = "invalidRoleBindings")
    public void testDeleteInvalidCloudRoleBinding(String str, String str2, String str3, String str4) throws Exception {
        V2RoleBinding v2RoleBinding = new V2RoleBinding((String) null, RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(str2)), str3, str4);
        Response execute = this.orgAdminClient.deleteRoleBinding(v2RoleBinding).execute();
        Assert.assertFalse(execute.isSuccessful());
        int code = execute.code();
        try {
            Assert.assertEquals(code, Scope.ROOT_SCOPE.equals(authority.resolveScopePattern(authority.canonicalCrn(v2RoleBinding.getCrnPattern())).scope()) ? 403 : 400);
        } catch (CrnSyntaxException e) {
            Assert.assertEquals(code, 400);
        }
    }

    public void testDeleteCloudRoleBindingInvalidPrincipal() throws Exception {
        String str = "crn://confluent.cloud/organization=" + this.ORG_ID;
        String str2 = "Luser:" + TestIndependenceUtil.uniquify("u-org1");
        Response execute = this.orgAdminClient.deleteRoleBinding(new V2RoleBinding((String) null, str2, "OrganizationAdmin", str)).execute();
        Assert.assertFalse(execute.isSuccessful());
        Assert.assertEquals(execute.code(), 400);
        Assert.assertFalse(principalHasRole(str2, "OrganizationAdmin", str));
    }

    private int resultCodeForDeleteById(String str, String str2) throws Exception {
        return V2CloudRbacRoleBindingRestRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str).deleteRoleBindingById(str2).execute().code();
    }

    private void checkDeleteRoleBindingResponse(String str, String str2, String str3, String str4, boolean z) throws IOException, CrnSyntaxException {
        String kafkaPrincipalString = RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(str2));
        V2RoleBinding v2RoleBinding = new V2RoleBinding((String) null, kafkaPrincipalString, str3, str4);
        Assert.assertTrue(this.orgAdminClient.createRoleBinding(v2RoleBinding).execute().isSuccessful());
        Assert.assertTrue(principalHasRole(kafkaPrincipalString, str3, str4));
        Response execute = V2CloudRbacRoleBindingRestRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str).deleteRoleBinding(v2RoleBinding).execute();
        if (z) {
            Assert.assertTrue(execute.isSuccessful());
            Assert.assertEquals(execute.code(), 200);
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute.body()).getApiVersion(), "iam/v2");
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute.body()).getKind(), "RoleBinding");
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute.body()).principal, kafkaPrincipalString);
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute.body()).roleName, str3);
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute.body()).crnPattern, str4);
            Assert.assertTrue(((V2SingleRoleBindingResponse) execute.body()).id.startsWith("rb-"));
            DateTimeFormatter.ISO_OFFSET_DATE_TIME.parse(((V2SingleRoleBindingResponse) execute.body()).metadata.createdAt);
            DateTimeFormatter.ISO_OFFSET_DATE_TIME.parse(((V2SingleRoleBindingResponse) execute.body()).metadata.deletedAt);
            String str5 = execute.raw().request().url() + "/" + ((V2SingleRoleBindingResponse) execute.body()).id;
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute.body()).metadata.self, str5);
            Assert.assertEquals(execute.headers().get("Location"), str5);
            Assert.assertEquals(execute.headers().get("Content-Type"), "application/json");
        } else {
            Assert.assertEquals(execute.code(), 403);
        }
        Assert.assertEquals(!principalHasRole(kafkaPrincipalString, str3, str4), z);
    }

    private void checkDeleteByIdRoleBindingResponse(String str, String str2, String str3, String str4, boolean z) throws IOException, CrnSyntaxException {
        String kafkaPrincipalString = RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(str2));
        Response execute = this.orgAdminClient.createRoleBinding(new V2RoleBinding((String) null, kafkaPrincipalString, str3, str4)).execute();
        Assert.assertTrue(execute.isSuccessful());
        Assert.assertTrue(principalHasRole(kafkaPrincipalString, str3, str4));
        Response execute2 = V2CloudRbacRoleBindingRestRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str).deleteRoleBindingById(((V2SingleRoleBindingResponse) execute.body()).id).execute();
        if (z) {
            Assert.assertTrue(execute2.isSuccessful());
            Assert.assertEquals(execute2.code(), 200);
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute2.body()).getApiVersion(), "iam/v2");
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute2.body()).getKind(), "RoleBinding");
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute2.body()).principal, kafkaPrincipalString);
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute2.body()).roleName, str3);
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute2.body()).crnPattern, str4);
            Assert.assertTrue(((V2SingleRoleBindingResponse) execute2.body()).id.startsWith("rb-"));
            DateTimeFormatter.ISO_OFFSET_DATE_TIME.parse(((V2SingleRoleBindingResponse) execute2.body()).metadata.createdAt);
            DateTimeFormatter.ISO_OFFSET_DATE_TIME.parse(((V2SingleRoleBindingResponse) execute2.body()).metadata.deletedAt);
            String httpUrl = execute2.raw().request().url().toString();
            Assert.assertEquals(((V2SingleRoleBindingResponse) execute2.body()).metadata.self, httpUrl);
            Assert.assertEquals(execute2.headers().get("Location"), httpUrl);
            Assert.assertEquals(execute2.headers().get("Content-Type"), "application/json");
        } else {
            Assert.assertEquals(execute2.code(), 403);
        }
        Assert.assertEquals(!principalHasRole(kafkaPrincipalString, str3, str4), z);
    }

    private void checkDeleteSuccessAtScopeLevel(String str, String str2, String str3, String str4, String str5) throws Exception {
        checkDeleteRoleBindingResponse(str, str3, str4, str5, allowedAtScope(str2, str5));
    }

    private void checkDeleteSuccessAtScopeLevelById(String str, String str2, String str3, String str4, String str5) throws Exception {
        checkDeleteByIdRoleBindingResponse(str, str3, str4, str5, allowedAtScope(str2, str5));
    }

    private void checkDeleteSuccessOnResourceType(String str, String str2, PatternType patternType, String str3, String str4, String str5, String str6) throws Exception {
        checkDeleteRoleBindingResponse(str, str4, str5, str6, allowedOnResource(str2, patternType, str3, str6));
    }

    private void checkDeleteSuccessOnResourceTypeById(String str, String str2, PatternType patternType, String str3, String str4, String str5, String str6) throws Exception {
        checkDeleteByIdRoleBindingResponse(str, str4, str5, str6, allowedOnResource(str2, patternType, str3, str6));
    }

    @Test(dataProvider = "validRoleBindings")
    public void testDeleteCloudRolePermissionsEnvAdmin(String str, String str2, String str3) throws Exception {
        checkDeleteSuccessAtScopeLevel(this.ENV_ADMIN, "environment", str, str2, str3);
        checkDeleteSuccessAtScopeLevelById(this.ENV_ADMIN, "environment", str, str2, str3);
    }

    @Test(dataProvider = "validRoleBindings")
    public void testDeleteCloudRolePermissionsCCAdmin(String str, String str2, String str3) throws Exception {
        checkDeleteSuccessAtScopeLevel(this.C_C_ADMIN, "cloud-cluster", str, str2, str3);
        checkDeleteSuccessAtScopeLevelById(this.C_C_ADMIN, "cloud-cluster", str, str2, str3);
    }

    @Test(dataProvider = "validRoleBindings")
    public void testDeleteCloudRolePermissionsClusterOwner(String str, String str2, String str3) throws Exception {
        checkDeleteSuccessOnResourceType(this.CLUSTER_OWNER, "Cluster", null, null, str, str2, str3);
        checkDeleteSuccessOnResourceTypeById(this.CLUSTER_OWNER, "Cluster", null, null, str, str2, str3);
    }

    @Test(dataProvider = "validRoleBindings")
    public void testDeleteCloudRolePermissionsTopicOwner(String str, String str2, String str3) throws Exception {
        String substring = this.topicCrn.substring(this.topicCrn.indexOf("topic=") + "topic=".length());
        checkDeleteSuccessOnResourceType(this.TOPIC_OWNER, "Topic", PatternType.LITERAL, substring, str, str2, str3);
        checkDeleteSuccessOnResourceTypeById(this.TOPIC_OWNER, "Topic", PatternType.LITERAL, substring, str, str2, str3);
    }

    @Test(dataProvider = "validRoleBindings")
    public void testDeleteCloudRolePermissionsDeveloper(String str, String str2, String str3) throws Exception {
        String kafkaPrincipalString = RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(str));
        Assert.assertTrue(this.orgAdminClient.createRoleBinding(new V2RoleBinding((String) null, kafkaPrincipalString, str2, str3)).execute().isSuccessful());
        Assert.assertTrue(principalHasRole(kafkaPrincipalString, str2, str3));
        Assert.assertEquals(resultCodeForDelete(this.DEVELOPER, kafkaPrincipalString, str2, str3), 403);
        Assert.assertTrue(principalHasRole(kafkaPrincipalString, str2, str3));
    }

    @Test(dataProvider = "validRoleBindings")
    public void testDeleteCloudRolePermissionsDeveloperById(String str, String str2, String str3) throws Exception {
        String kafkaPrincipalString = RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(str));
        Response execute = this.orgAdminClient.createRoleBinding(new V2RoleBinding((String) null, kafkaPrincipalString, str2, str3)).execute();
        Assert.assertTrue(execute.isSuccessful());
        Assert.assertTrue(principalHasRole(kafkaPrincipalString, str2, str3));
        Assert.assertEquals(resultCodeForDeleteById(this.DEVELOPER, ((V2SingleRoleBindingResponse) execute.body()).id), 403);
        Assert.assertTrue(principalHasRole(kafkaPrincipalString, str2, str3));
    }

    @Test(dataProvider = "validRoleBindings")
    public void testDeleteCloudRolePermissionsNobody(String str, String str2, String str3) throws Exception {
        String kafkaPrincipalString = RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(str));
        Assert.assertTrue(this.orgAdminClient.createRoleBinding(new V2RoleBinding((String) null, kafkaPrincipalString, str2, str3)).execute().isSuccessful());
        Assert.assertTrue(principalHasRole(kafkaPrincipalString, str2, str3));
        Assert.assertEquals(resultCodeForDelete(this.NOBODY, kafkaPrincipalString, str2, str3), 403);
        Assert.assertTrue(principalHasRole(kafkaPrincipalString, str2, str3));
    }

    @Test(dataProvider = "validRoleBindings")
    public void testDeleteCloudRolePermissionsNobodyById(String str, String str2, String str3) throws Exception {
        String kafkaPrincipalString = RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(str));
        Response execute = this.orgAdminClient.createRoleBinding(new V2RoleBinding((String) null, kafkaPrincipalString, str2, str3)).execute();
        Assert.assertTrue(execute.isSuccessful());
        Assert.assertTrue(principalHasRole(kafkaPrincipalString, str2, str3));
        Assert.assertEquals(resultCodeForDeleteById(this.NOBODY, ((V2SingleRoleBindingResponse) execute.body()).id), 403);
        Assert.assertTrue(principalHasRole(kafkaPrincipalString, str2, str3));
    }

    @Test(dataProvider = "validRoleBindings")
    public void testDeleteNonexistentPermitted(String str, String str2, String str3) throws Exception {
        Assert.assertEquals(resultCodeForDelete(this.ORG_ADMIN, RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(str)), str2, str3), 404, "OrgAdmin should be able to delete this, but it doesn't exist");
    }

    @Test(dataProvider = "validRoleBindings")
    public void testDeleteNonexistentPermittedById(String str, String str2, String str3) throws Exception {
        String kafkaPrincipalString = RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(str));
        Response execute = this.orgAdminClient.createRoleBinding(new V2RoleBinding((String) null, kafkaPrincipalString, str2, str3)).execute();
        Assert.assertTrue(execute.isSuccessful());
        Assert.assertTrue(principalHasRole(kafkaPrincipalString, str2, str3));
        Assert.assertEquals(resultCodeForDelete(this.ORG_ADMIN, kafkaPrincipalString, str2, str3), 200);
        Assert.assertFalse(principalHasRole(kafkaPrincipalString, str2, str3));
        Assert.assertEquals(resultCodeForDeleteById(this.ORG_ADMIN, ((V2SingleRoleBindingResponse) execute.body()).id), 403, "OrgAdmin should be able to delete this, but it doesn't exist");
    }

    @Test(dataProvider = "validRoleBindings")
    public void testDeleteNonexistentForbidden(String str, String str2, String str3) throws Exception {
        Assert.assertEquals(resultCodeForDelete(this.NOBODY, RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(str)), str2, str3), 403, "User should not be able to access this, much less delete it");
    }

    @Test(dataProvider = "validRoleBindings")
    public void testDeleteNonexistentForbiddenById(String str, String str2, String str3) throws Exception {
        String kafkaPrincipalString = RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(str));
        Response execute = this.orgAdminClient.createRoleBinding(new V2RoleBinding((String) null, kafkaPrincipalString, str2, str3)).execute();
        Assert.assertTrue(execute.isSuccessful());
        Assert.assertTrue(principalHasRole(kafkaPrincipalString, str2, str3));
        Assert.assertEquals(resultCodeForDelete(this.ORG_ADMIN, kafkaPrincipalString, str2, str3), 200);
        Assert.assertFalse(principalHasRole(kafkaPrincipalString, str2, str3));
        Assert.assertEquals(resultCodeForDeleteById(this.NOBODY, ((V2SingleRoleBindingResponse) execute.body()).id), 403, "User should not be able to access this, much less delete it");
    }

    @Test
    public void testDeleteByIdLeaksNoInfo() throws Exception {
        String kafkaPrincipalString = RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify(this.ORG_ADMIN));
        Response execute = this.orgAdminClient.createRoleBinding(new V2RoleBinding((String) null, kafkaPrincipalString, "OrganizationAdmin", this.orgCrn)).execute();
        Assert.assertTrue(execute.isSuccessful());
        Assert.assertTrue(principalHasRole(kafkaPrincipalString, "OrganizationAdmin", this.orgCrn));
        String str = ((V2SingleRoleBindingResponse) execute.body()).id;
        V2CloudRbacRoleBindingRestApi build = V2CloudRbacRoleBindingRestRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, this.NOBODY);
        Response execute2 = build.deleteRoleBindingById(str).execute();
        Assert.assertEquals(resultCodeForDelete(this.ORG_ADMIN, kafkaPrincipalString, "OrganizationAdmin", this.orgCrn), 200);
        Assert.assertFalse(principalHasRole(kafkaPrincipalString, "OrganizationAdmin", this.orgCrn));
        Response execute3 = this.orgAdminClient.deleteRoleBindingById(str).execute();
        Response execute4 = build.deleteRoleBindingById(str).execute();
        Assert.assertEquals(execute2.body(), execute3.body());
        Assert.assertEquals(execute3.body(), execute4.body());
        String string = execute2.errorBody().string();
        String string2 = execute3.errorBody().string();
        String string3 = execute4.errorBody().string();
        Assert.assertEquals(string, string2);
        Assert.assertEquals(string2, string3);
        Assert.assertEquals(execute2.code(), 403);
        Assert.assertEquals(execute3.code(), 403);
        Assert.assertEquals(execute4.code(), 403);
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Test
    public void testCreateTooManyCloudRoleBindings() throws Exception {
        String uniquify = TestIndependenceUtil.uniquify("crn://confluent.cloud/organization=org-");
        String[] strArr = {new String[]{"u-org1", "OrganizationAdmin", uniquify}, new String[]{"u-env", "EnvironmentAdmin", uniquify + "/environment=env-d"}, new String[]{"u-cluster", "CloudClusterAdmin", uniquify + "/environment=env-d/cloud-cluster=lkc-ef123"}, new String[]{"u-kafka", "ResourceOwner", uniquify + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123"}, new String[]{"u-topic", "DeveloperRead", uniquify + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/topic=topic1"}, new String[]{"u-topic", "DeveloperRead", uniquify + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123"}, new String[]{"u-topic", "DeveloperRead", uniquify + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/group=group1"}, new String[]{"u-topic", "DeveloperWrite", uniquify + "/environment=env-d/cloud-cluster=lkc-ef123/kafka=lkc-ef123/topic=topic1"}};
        Assert.assertTrue(this.suCloudClient.createRoleBinding(new V2RoleBinding((String) null, RoleCrudUtil.kafkaPrincipalString(this.ORG_ADMIN), "OrganizationAdmin", uniquify)).execute().isSuccessful());
        for (int i = 1; i < 1000; i++) {
            Object[] objArr = strArr[i % strArr.length];
            checkCreateSuccessAtScopeLevel(this.ORG_ADMIN, "organization", objArr[0], objArr[1], objArr[2]);
        }
        for (int i2 = 0; i2 < strArr.length; i2++) {
            Object[] objArr2 = strArr[i2 % strArr.length];
            checkCreateOverLimit(this.ORG_ADMIN, objArr2[0], objArr2[1], objArr2[2]);
        }
        Response execute = this.orgAdminClient.listRoleBindings(null, "DeveloperRead", uniquify + "/*", 50, null).execute();
        Assert.assertTrue(execute.isSuccessful());
        for (int i3 = 0; i3 < 50; i3++) {
            Assert.assertTrue(this.orgAdminClient.deleteRoleBinding(((V2SingleRoleBindingResponse) ((V2ListRoleBindingResponse) execute.body()).data.get(i3)).getV2RoleBinding()).execute().isSuccessful());
        }
        for (int i4 = 0; i4 < 50; i4++) {
            Object[] objArr3 = strArr[i4 % strArr.length];
            checkCreateSuccessAtScopeLevel(this.ORG_ADMIN, "organization", objArr3[0], objArr3[1], objArr3[2]);
        }
        for (int i5 = 0; i5 < strArr.length; i5++) {
            Object[] objArr4 = strArr[i5 % strArr.length];
            checkCreateOverLimit(this.ORG_ADMIN, objArr4[0], objArr4[1], objArr4[2]);
        }
    }
}
