package io.confluent.rbacapi.services;

import com.google.common.collect.ImmutableSet;
import integration.rbacapi.api.v1.LookupTest;
import io.confluent.rbacapi.utils.RoleUtils;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.rbac.RoleBinding;
import java.util.Arrays;
import java.util.Collections;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.junit.Assert;
import org.junit.Test;
import utils.RolesTestUtils;

/* loaded from: input_file:io/confluent/rbacapi/services/ClusterPermissionsBuilderTest.class */
public class ClusterPermissionsBuilderTest {
    private static final KafkaPrincipal USER_1 = SecurityUtils.parseKafkaPrincipal("User:u1");
    private static final Scope SCOPE = Scope.kafkaClusterScope("k1");
    private static final ResourceType CLUSTER = new ResourceType("Cluster");
    private static final ResourceType TOPIC = new ResourceType("Topic");
    private static final ResourceType GROUP = new ResourceType(LookupTest.GROUP_TYPE);
    private final ClusterPermissionsBuilder builder = new ClusterPermissionsBuilder();

    @Test
    public void testBuildEmptyClusterPermissions() {
        Assert.assertNotNull(this.builder.build(Collections.emptyMap(), Collections.emptyList(), SCOPE, ResourceType.ALL, Collections.emptyList()));
    }

    @Test
    public void testBuildWithOnlySystemAdminRoleBinding() {
        ClusterPermissions build = this.builder.build(RoleUtils.mapRolesByName(Collections.singleton(RolesTestUtils.SYSTEM_ADMIN_ROLE)), Collections.singleton(USER_1), SCOPE, ResourceType.ALL, Arrays.asList(new RoleBinding(USER_1, RolesTestUtils.SYSTEM_ADMIN_ROLE.name(), SCOPE, Collections.emptySet())));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(TOPIC)));
        Assert.assertEquals(true, Boolean.valueOf(build.canAlterAccess(TOPIC)));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(literal("Topic", "t1"))));
        Assert.assertEquals(true, Boolean.valueOf(build.canAlterAccess(literal("Topic", "t1"))));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(GROUP)));
        Assert.assertEquals(true, Boolean.valueOf(build.canAlterAccess(GROUP)));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
        Assert.assertEquals(true, Boolean.valueOf(build.canAlterAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
    }

    @Test
    public void testBuildWithOnlySecurityAdminRoleBinding() {
        ClusterPermissions build = this.builder.build(RoleUtils.mapRolesByName(Collections.singleton(RolesTestUtils.SECURITY_ADMIN_ROLE)), Collections.singleton(USER_1), SCOPE, ResourceType.ALL, Arrays.asList(new RoleBinding(USER_1, RolesTestUtils.SECURITY_ADMIN_ROLE.name(), SCOPE, Collections.emptySet())));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(TOPIC)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(TOPIC)));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(literal("Topic", "t1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal("Topic", "t1"))));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(GROUP)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(GROUP)));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
    }

    @Test
    public void testBuildWithResourceOwnerOnKafkaClusterRoleBinding() {
        ClusterPermissions build = this.builder.build(RoleUtils.mapRolesByName(Collections.singleton(RolesTestUtils.RESOURCE_OWNER_ROLE)), Collections.singleton(USER_1), SCOPE, ResourceType.ALL, Arrays.asList(new RoleBinding(USER_1, RolesTestUtils.RESOURCE_OWNER_ROLE.name(), SCOPE, Collections.singleton(literal("Cluster", "kafka-cluster")))));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(TOPIC)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(TOPIC)));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(literal("Topic", "t1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal("Topic", "t1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(GROUP)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(GROUP)));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(CLUSTER)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(CLUSTER)));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(literal("Cluster", "kafka-cluster"))));
        Assert.assertEquals(true, Boolean.valueOf(build.canAlterAccess(literal("Cluster", "kafka-cluster"))));
    }

    @Test
    public void testBuildWithResourceOwnerOnLiteralTopicRoleBinding() {
        ClusterPermissions build = this.builder.build(RoleUtils.mapRolesByName(Collections.singleton(RolesTestUtils.RESOURCE_OWNER_ROLE)), Collections.singleton(USER_1), SCOPE, ResourceType.ALL, Arrays.asList(new RoleBinding(USER_1, RolesTestUtils.RESOURCE_OWNER_ROLE.name(), SCOPE, Collections.singleton(literal("Topic", "t1")))));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(TOPIC)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(TOPIC)));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(literal("Topic", "t1"))));
        Assert.assertEquals(true, Boolean.valueOf(build.canAlterAccess(literal("Topic", "t1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(literal("Topic", "t2"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal("Topic", "t2"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(GROUP)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(GROUP)));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
    }

    @Test
    public void testBuildWithResourceOwnerOnPrefixTopicRoleBinding() {
        ClusterPermissions build = this.builder.build(RoleUtils.mapRolesByName(Collections.singleton(RolesTestUtils.RESOURCE_OWNER_ROLE)), Collections.singleton(USER_1), SCOPE, ResourceType.ALL, Arrays.asList(new RoleBinding(USER_1, RolesTestUtils.RESOURCE_OWNER_ROLE.name(), SCOPE, Collections.singleton(prefix("Topic", "s")))));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(TOPIC)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(TOPIC)));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(literal("Topic", "t1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal("Topic", "t1"))));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(literal("Topic", "s"))));
        Assert.assertEquals(true, Boolean.valueOf(build.canAlterAccess(literal("Topic", "s"))));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(literal("Topic", "str"))));
        Assert.assertEquals(true, Boolean.valueOf(build.canAlterAccess(literal("Topic", "str"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(GROUP)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(GROUP)));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
    }

    @Test
    public void testBuildWithASpecificResourceType() {
        ClusterPermissions build = this.builder.build(RoleUtils.mapRolesByName(Collections.singleton(RolesTestUtils.RESOURCE_OWNER_ROLE)), Collections.singleton(USER_1), SCOPE, GROUP, Arrays.asList(new RoleBinding(USER_1, RolesTestUtils.RESOURCE_OWNER_ROLE.name(), SCOPE, ImmutableSet.of(literal("Topic", "t1"), literal(LookupTest.GROUP_TYPE, "g1")))));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(TOPIC)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(TOPIC)));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(literal("Topic", "t1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal("Topic", "t1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(GROUP)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(GROUP)));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
        Assert.assertEquals(true, Boolean.valueOf(build.canAlterAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
    }

    @Test
    public void testBuildWithSecurityAdminAndResourceRoleBindings() {
        ClusterPermissions build = this.builder.build(RoleUtils.mapRolesByName(ImmutableSet.of(RolesTestUtils.SECURITY_ADMIN_ROLE, RolesTestUtils.DEVELOPER_READ_ROLE)), Collections.singleton(USER_1), SCOPE, ResourceType.ALL, Arrays.asList(new RoleBinding(USER_1, RolesTestUtils.SECURITY_ADMIN_ROLE.name(), SCOPE, Collections.emptySet()), new RoleBinding(USER_1, RolesTestUtils.DEVELOPER_READ_ROLE.name(), SCOPE, ImmutableSet.of(literal("Topic", "t1"), literal(LookupTest.GROUP_TYPE, "g1")))));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(TOPIC)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(TOPIC)));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(literal("Topic", "t1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal("Topic", "t1"))));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(GROUP)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(GROUP)));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
    }

    @Test
    public void testBuildSecurityAdminAndResourceOwnerRoleBindings() {
        ClusterPermissions build = this.builder.build(RoleUtils.mapRolesByName(ImmutableSet.of(RolesTestUtils.SECURITY_ADMIN_ROLE, RolesTestUtils.DEVELOPER_READ_ROLE, RolesTestUtils.RESOURCE_OWNER_ROLE)), Collections.singleton(USER_1), SCOPE, ResourceType.ALL, Arrays.asList(new RoleBinding(USER_1, RolesTestUtils.SECURITY_ADMIN_ROLE.name(), SCOPE, Collections.emptySet()), new RoleBinding(USER_1, RolesTestUtils.RESOURCE_OWNER_ROLE.name(), SCOPE, ImmutableSet.of(literal("Topic", "t1"))), new RoleBinding(USER_1, RolesTestUtils.DEVELOPER_READ_ROLE.name(), SCOPE, ImmutableSet.of(literal(LookupTest.GROUP_TYPE, "g1")))));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(TOPIC)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(TOPIC)));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(literal("Topic", "t1"))));
        Assert.assertEquals(true, Boolean.valueOf(build.canAlterAccess(literal("Topic", "t1"))));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(GROUP)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(GROUP)));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
    }

    @Test
    public void testBuildAndSkipUnknownRoles() {
        ClusterPermissions build = this.builder.build(RoleUtils.mapRolesByName(ImmutableSet.of(RolesTestUtils.SECURITY_ADMIN_ROLE, RolesTestUtils.DEVELOPER_READ_ROLE)), Collections.singleton(USER_1), SCOPE, ResourceType.ALL, Arrays.asList(new RoleBinding(USER_1, RolesTestUtils.SECURITY_ADMIN_ROLE.name(), SCOPE, Collections.emptySet()), new RoleBinding(USER_1, RolesTestUtils.RESOURCE_OWNER_ROLE.name(), SCOPE, ImmutableSet.of(literal("Topic", "t1"))), new RoleBinding(USER_1, RolesTestUtils.DEVELOPER_READ_ROLE.name(), SCOPE, ImmutableSet.of(literal(LookupTest.GROUP_TYPE, "g1")))));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(TOPIC)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(TOPIC)));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(literal("Topic", "t1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal("Topic", "t1"))));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(GROUP)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(GROUP)));
        Assert.assertEquals(true, Boolean.valueOf(build.canDescribeAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
    }

    @Test
    public void testBuildAndSkipUnknownPrincipal() {
        ClusterPermissions build = this.builder.build(RoleUtils.mapRolesByName(ImmutableSet.of(RolesTestUtils.SECURITY_ADMIN_ROLE, RolesTestUtils.DEVELOPER_READ_ROLE, RolesTestUtils.RESOURCE_OWNER_ROLE)), Collections.singleton(new KafkaPrincipal("User", "Unknown")), SCOPE, ResourceType.ALL, Arrays.asList(new RoleBinding(USER_1, RolesTestUtils.SECURITY_ADMIN_ROLE.name(), SCOPE, Collections.emptySet()), new RoleBinding(USER_1, RolesTestUtils.RESOURCE_OWNER_ROLE.name(), SCOPE, ImmutableSet.of(literal("Topic", "t1"))), new RoleBinding(USER_1, RolesTestUtils.DEVELOPER_READ_ROLE.name(), SCOPE, ImmutableSet.of(literal(LookupTest.GROUP_TYPE, "g1")))));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(TOPIC)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(TOPIC)));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(literal("Topic", "t1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal("Topic", "t1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(GROUP)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(GROUP)));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
    }

    @Test
    public void testBuildAndSkipUnknownScope() {
        ClusterPermissions build = this.builder.build(RoleUtils.mapRolesByName(ImmutableSet.of(RolesTestUtils.SECURITY_ADMIN_ROLE, RolesTestUtils.DEVELOPER_READ_ROLE, RolesTestUtils.RESOURCE_OWNER_ROLE)), Collections.singleton(USER_1), Scope.kafkaClusterScope("unknown"), ResourceType.ALL, Arrays.asList(new RoleBinding(USER_1, RolesTestUtils.SECURITY_ADMIN_ROLE.name(), SCOPE, Collections.emptySet()), new RoleBinding(USER_1, RolesTestUtils.RESOURCE_OWNER_ROLE.name(), SCOPE, ImmutableSet.of(literal("Topic", "t1"))), new RoleBinding(USER_1, RolesTestUtils.DEVELOPER_READ_ROLE.name(), SCOPE, ImmutableSet.of(literal(LookupTest.GROUP_TYPE, "g1")))));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(TOPIC)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(TOPIC)));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(literal("Topic", "t1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal("Topic", "t1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(GROUP)));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(GROUP)));
        Assert.assertEquals(false, Boolean.valueOf(build.canDescribeAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
        Assert.assertEquals(false, Boolean.valueOf(build.canAlterAccess(literal(LookupTest.GROUP_TYPE, "g1"))));
    }

    private ResourcePattern literal(String str, String str2) {
        return new ResourcePattern(str, str2, PatternType.LITERAL);
    }

    private ResourcePattern prefix(String str, String str2) {
        return new ResourcePattern(str, str2, PatternType.PREFIXED);
    }
}
