package integration.rbacapi.api.v1;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import io.confluent.metadataapi.entities.ClusterId;
import io.confluent.rbacapi.entities.AuthorizeRequest;
import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.entities.ResourcesRequest;
import io.confluent.rbacapi.errors.ErrorResponse;
import io.confluent.rbacapi.jackson.V1Role;
import io.confluent.rbacapi.retrofit.v1.V1RbacRestApi;
import io.confluent.rbacapi.retrofit.v1.V1RbacRetrofitFactory;
import io.confluent.security.auth.client.rest.entities.AclFilter;
import io.confluent.security.auth.client.rest.entities.CreateAclRequest;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.PermissionType;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.acl.AclRule;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.testing.TestIndependenceUtil;
import io.confluent.testing.ldap.client.ExampleComLdapCrud;
import io.confluent.testing.ldap.server.LdapServer;
import java.io.IOException;
import java.net.ConnectException;
import java.net.URL;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.ws.rs.client.ClientBuilder;
import org.apache.commons.lang3.StringUtils;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.awaitility.Awaitility;
import org.junit.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
import retrofit2.Response;
import utils.ApiValidationUtil;
import utils.KafkaConfigTool;
import utils.MdsJsonUtil;
import utils.MdsTestUtil;
import utils.RoleCrudUtil;
import utils.ScopeBuilder;

@Test(groups = {"classParallelTests"})
/* loaded from: input_file:integration/rbacapi/api/v1/RbacClustersSmokeTest.class */
public class RbacClustersSmokeTest {
    private static final String CLUSTER = "testCluster";
    private static final String BROKER_USER = "kafka";
    private static final String GROUP_1 = "testGroup1";
    private static final String GROUP_2 = "testGroup2";
    private static RbacClusters rbacClusters;
    private static LdapServer ldapServer;
    private static int actualMdsPort;
    private static V1RbacRestApi rbacRestApi;

    @BeforeClass
    public static void setUp() throws Throwable {
        String acquirePort = MdsTestUtil.acquirePort(8090);
        ldapServer = LdapServer.defaultServerNoUsers().start();
        int actualPort = ldapServer.actualPort();
        ExampleComLdapCrud exampleComLdapCrud = new ExampleComLdapCrud(actualPort);
        exampleComLdapCrud.createUsers(new String[]{"Alice", "Bob", "kafka"});
        exampleComLdapCrud.addUserToGroup("Alice", GROUP_1);
        exampleComLdapCrud.addUserToGroup("Bob", GROUP_2);
        RbacClusters.Config justLDAPv1 = KafkaConfigTool.justLDAPv1(actualPort, "kafka");
        justLDAPv1.overrideMetadataBrokerConfig("super.users", "User:ANONYMOUS;User:kafka").overrideMetadataBrokerConfig("confluent.metadata.server.authentication.method", "NONE").overrideMetadataBrokerConfig("confluent.metadata.server.listeners", MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + acquirePort).overrideMetadataBrokerConfig("confluent.metadata.server.openapi.enable", "true").overrideMetadataBrokerConfig("confluent.schema.registry.url", "http://localhost:8070");
        KafkaConfigTool.turnOffAuditLogs(justLDAPv1);
        rbacClusters = new RbacClusters(justLDAPv1);
        actualMdsPort = MdsTestUtil.lookupActualMdsPort(rbacClusters);
        rbacClusters.updateUserGroup("Alice", GROUP_1);
        rbacClusters.updateUserGroup("Bob", GROUP_2);
        rbacRestApi = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, actualMdsPort);
        Awaitility.given().ignoreException(ConnectException.class).await().atMost(30L, TimeUnit.SECONDS).until(() -> {
            return Boolean.valueOf(rbacRestApi.getRoleNames().execute().isSuccessful());
        });
    }

    @AfterClass
    public static void tearDown() {
        ldapServer.stop();
        rbacClusters.shutdown();
        MdsTestUtil.releasePort(actualMdsPort);
    }

    @Test
    public void verifySwaggerIsAvailableTest() {
        Assert.assertEquals(200L, ClientBuilder.newClient().target(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + actualMdsPort).path("/security/openapi/swagger-ui/index.html").request().get().getStatus());
    }

    @Test
    public void getBrokerMetadataTest() throws Throwable {
        String str = (String) rbacRestApi.getMetadataClusterId().execute().body();
        Assert.assertNotNull(str);
        Assert.assertTrue(str.length() > 10);
        ObjectMapper objectMapper = new ObjectMapper();
        ClusterId clusterId = (ClusterId) objectMapper.readValue(new URL(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + actualMdsPort + "/v1/metadata/id"), ClusterId.class);
        Assert.assertEquals(str, clusterId.id());
        Assert.assertEquals(Scope.kafkaClusterScope(str), clusterId.scope());
        String[] strArr = (String[]) objectMapper.readValue(new URL(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + actualMdsPort + "/v1/metadata/schemaRegistryUrls"), String[].class);
        Assert.assertEquals(1L, strArr.length);
        Assert.assertEquals("http://localhost:8070", strArr[0]);
        Map map = (Map) objectMapper.readValue(new URL(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + actualMdsPort + "/v1/metadata/analyticsId"), new TypeReference<HashMap<String, Object>>() { // from class: integration.rbacapi.api.v1.RbacClustersSmokeTest.1
        });
        Assert.assertEquals("free tier", map.get("audience"));
        Assert.assertNotNull(map.get("lid"));
        Assert.assertEquals(str, map.get("pid"));
    }

    @Test
    public void roleNamesSmokeTest() throws Throwable {
        Response execute = rbacRestApi.getRoleNames().execute();
        Assert.assertEquals(200L, execute.code());
        List list = (List) execute.body();
        Assert.assertNotNull(list);
        Assert.assertTrue(list.size() > 3);
    }

    @Test
    public void getRoleSmokeTest() throws Throwable {
        Response execute = rbacRestApi.getRole("DeveloperRead").execute();
        Assert.assertEquals(200L, execute.code());
        V1Role v1Role = (V1Role) execute.body();
        Assert.assertNotNull(v1Role);
        Assert.assertEquals("DeveloperRead", v1Role.name());
    }

    @Test
    public void rolesSmokeTest() throws Throwable {
        Assert.assertNotNull(rbacRestApi.getRoles().execute());
        Assert.assertEquals(200L, r0.code());
    }

    @Test
    public void addRemoveRoleForUserTest() throws Throwable {
        String str = "User:" + ("TestUser-" + TestIndependenceUtil.getUniqueInteger());
        ApiValidationUtil.verifyPrincipalHasNoRoles(rbacRestApi, str, CLUSTER);
        Assert.assertEquals(204L, rbacRestApi.addClusterRoleForPrincipal(str, "Operator", new MdsScope(Scope.kafkaClusterScope(CLUSTER))).execute().code());
        List<String> lookupRolesForPrincipal = ApiValidationUtil.lookupRolesForPrincipal(rbacRestApi, str, CLUSTER);
        Assert.assertNotNull(lookupRolesForPrincipal);
        Assert.assertEquals(1L, lookupRolesForPrincipal.size());
        Assert.assertTrue(lookupRolesForPrincipal.contains("Operator"));
        Assert.assertEquals(204L, rbacRestApi.removeRoleForPrincipal(str, "Operator", new MdsScope(Scope.kafkaClusterScope(CLUSTER))).execute().code());
        ApiValidationUtil.verifyPrincipalHasNoRoles(rbacRestApi, str, CLUSTER);
    }

    @Test
    public void verifyGroupRolesCascaseToUser() throws Throwable {
        ApiValidationUtil.verifyPrincipalHasNoRoles(rbacRestApi, "User:Bob", CLUSTER);
        ApiValidationUtil.verifyPrincipalHasNoRoles(rbacRestApi, "Group:testGroup2", CLUSTER);
        Assert.assertEquals(204L, rbacRestApi.addClusterRoleForPrincipal("Group:testGroup2", "ClusterAdmin", new MdsScope(Scope.kafkaClusterScope(CLUSTER))).execute().code());
        List<String> lookupRolesForPrincipal = ApiValidationUtil.lookupRolesForPrincipal(rbacRestApi, "Group:testGroup2", CLUSTER);
        Assert.assertNotNull(lookupRolesForPrincipal);
        Assert.assertEquals(1L, lookupRolesForPrincipal.size());
        Assert.assertTrue(lookupRolesForPrincipal.contains("ClusterAdmin"));
        List<String> lookupRolesForPrincipal2 = ApiValidationUtil.lookupRolesForPrincipal(rbacRestApi, "User:Bob", CLUSTER);
        Assert.assertNotNull(lookupRolesForPrincipal2);
        Assert.assertEquals(1L, lookupRolesForPrincipal2.size());
        Assert.assertTrue(lookupRolesForPrincipal2.contains("ClusterAdmin"));
        Assert.assertEquals(204L, rbacRestApi.removeRoleForPrincipal("Group:testGroup2", "ClusterAdmin", new MdsScope(Scope.kafkaClusterScope(CLUSTER))).execute().code());
        ApiValidationUtil.verifyPrincipalHasNoRoles(rbacRestApi, "Group:testGroup2", CLUSTER);
        ApiValidationUtil.verifyPrincipalHasNoRoles(rbacRestApi, "User:Bob", CLUSTER);
    }

    @Test
    public void addRemoveRoleResourcesForUserTest() throws Throwable {
        String str = "User:" + ("TestUser-" + TestIndependenceUtil.getUniqueInteger());
        ResourceType resourceType = new ResourceType("Topic");
        AuthorizeRequest authorizeRequest = new AuthorizeRequest(str, Collections.singletonList(new Action(Scope.kafkaClusterScope(CLUSTER), resourceType, "TopicA", new Operation("Read"))));
        List asList = Arrays.asList(new ResourcePattern(resourceType, "TopicB", PatternType.LITERAL), new ResourcePattern(resourceType, "TopicA", PatternType.LITERAL), new ResourcePattern(resourceType, "TopicC", PatternType.LITERAL));
        ApiValidationUtil.verifyPrincipalHasNoRoles(rbacRestApi, str, CLUSTER);
        ApiValidationUtil.verifySingletonAuthorizeCall(rbacRestApi, authorizeRequest, AuthorizeResult.DENIED);
        Assert.assertEquals(204L, rbacRestApi.addRoleResourcesForPrincipal(str, "DeveloperRead", new ResourcesRequest(new MdsScope(Scope.kafkaClusterScope(CLUSTER)), asList)).execute().code());
        List<String> lookupRolesForPrincipal = ApiValidationUtil.lookupRolesForPrincipal(rbacRestApi, str, CLUSTER);
        Assert.assertNotNull(lookupRolesForPrincipal);
        Assert.assertEquals(1L, lookupRolesForPrincipal.size());
        Assert.assertTrue(lookupRolesForPrincipal.contains("DeveloperRead"));
        ApiValidationUtil.verifySingletonAuthorizeCall(rbacRestApi, authorizeRequest, AuthorizeResult.ALLOWED);
        List list = (List) rbacRestApi.getRoleResourcesForPrincipal(str, "DeveloperRead", new MdsScope(Scope.kafkaClusterScope(CLUSTER))).execute().body();
        Assert.assertNotNull(list);
        Assert.assertEquals(3L, list.size());
        Assert.assertEquals("TopicA", ((ResourcePattern) list.get(0)).name());
        Assert.assertEquals("TopicB", ((ResourcePattern) list.get(1)).name());
        Assert.assertEquals("TopicC", ((ResourcePattern) list.get(2)).name());
        Assert.assertEquals(204L, rbacRestApi.removeRoleResourcesForPrinpipal(str, "DeveloperRead", new ResourcesRequest(new MdsScope(Scope.kafkaClusterScope(CLUSTER)), Collections.singletonList(r0))).execute().code());
        ApiValidationUtil.verifySingletonAuthorizeCall(rbacRestApi, authorizeRequest, AuthorizeResult.DENIED);
        Assert.assertEquals(204L, rbacRestApi.removeRoleForPrincipal(str, "DeveloperRead", new MdsScope(Scope.kafkaClusterScope(CLUSTER))).execute().code());
        Assert.assertNotNull((List) rbacRestApi.getRoleResourcesForPrincipal(str, "DeveloperRead", new MdsScope(Scope.kafkaClusterScope(CLUSTER))).execute().body());
        Assert.assertEquals(0L, r0.size());
        ApiValidationUtil.verifyPrincipalHasNoRoles(rbacRestApi, str, CLUSTER);
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider
    public Object[][] topicLengthTests() {
        return new Object[]{new Object[]{"EmptyString", 0, 400}, new Object[]{"MinValidLength", 1, 204}, new Object[]{"MiddleLength", 101, 204}, new Object[]{"MaxValidLength", 249, 204}, new Object[]{"JustOverLimit", 250, 400}, new Object[]{"StupidBig", 999, 400}};
    }

    @Test(dataProvider = "topicLengthTests")
    public void topicNameLengthTest(String str, int i, int i2) throws Exception {
        String kafkaPrincipalString = RoleCrudUtil.kafkaPrincipalString(TestIndependenceUtil.uniquify("u-" + str));
        String repeat = StringUtils.repeat("a", i);
        Assert.assertEquals(i2, rbacRestApi.addRoleResourcesForPrincipal(RoleCrudUtil.kafkaPrincipalString(kafkaPrincipalString), "DeveloperRead", new ResourcesRequest(new MdsScope(Scope.kafkaClusterScope(CLUSTER)), Collections.singletonList(new ResourcePattern(new ResourceType("Topic"), repeat, PatternType.LITERAL)))).execute().code());
    }

    @Test
    public void clusterScopeRoleTest() throws Throwable {
        String str = "User:" + ("TestUser-" + TestIndependenceUtil.getUniqueInteger());
        AuthorizeRequest authorizeRequest = new AuthorizeRequest(str, Collections.singletonList(new Action(Scope.kafkaClusterScope(CLUSTER), new ResourceType("Topic"), "clusterRoleCreatedTopic", new Operation("Create"))));
        ApiValidationUtil.verifyPrincipalHasNoRoles(rbacRestApi, str, CLUSTER);
        ApiValidationUtil.verifySingletonAuthorizeCall(rbacRestApi, authorizeRequest, AuthorizeResult.DENIED);
        Assert.assertEquals(204L, rbacRestApi.addClusterRoleForPrincipal(str, "ClusterAdmin", new MdsScope(Scope.kafkaClusterScope(CLUSTER))).execute().code());
        List<String> lookupRolesForPrincipal = ApiValidationUtil.lookupRolesForPrincipal(rbacRestApi, str, CLUSTER);
        Assert.assertNotNull(lookupRolesForPrincipal);
        Assert.assertEquals(1L, lookupRolesForPrincipal.size());
        Assert.assertTrue(lookupRolesForPrincipal.contains("ClusterAdmin"));
        ApiValidationUtil.verifySingletonAuthorizeCall(rbacRestApi, authorizeRequest, AuthorizeResult.ALLOWED);
        Assert.assertEquals(204L, rbacRestApi.removeRoleForPrincipal(str, "ClusterAdmin", new MdsScope(Scope.kafkaClusterScope(CLUSTER))).execute().code());
        ApiValidationUtil.verifyPrincipalHasNoRoles(rbacRestApi, str, CLUSTER);
        ApiValidationUtil.verifySingletonAuthorizeCall(rbacRestApi, authorizeRequest, AuthorizeResult.DENIED);
    }

    @Test
    public void connectClusterRoleTest() throws Throwable {
        String str = "User:" + ("TestUser-" + TestIndependenceUtil.getUniqueInteger());
        ResourceType resourceType = new ResourceType("Connector");
        MdsScope build = ScopeBuilder.withKafka("KafkaA").withConnect("ConnA").build();
        AuthorizeRequest authorizeRequest = new AuthorizeRequest(str, Collections.singletonList(new Action(build.scope(), resourceType, "MySQL Connector", new Operation("Create"))));
        ApiValidationUtil.verifyPrincipalHasNoRoles(rbacRestApi, str, CLUSTER);
        ApiValidationUtil.verifySingletonAuthorizeCall(rbacRestApi, authorizeRequest, AuthorizeResult.DENIED);
        Assert.assertEquals(204L, rbacRestApi.addClusterRoleForPrincipal(str, "ClusterAdmin", build).execute().code());
        List<String> lookupRolesForPrincipal = ApiValidationUtil.lookupRolesForPrincipal(rbacRestApi, str, build);
        Assert.assertNotNull(lookupRolesForPrincipal);
        Assert.assertEquals(1L, lookupRolesForPrincipal.size());
        Assert.assertTrue(lookupRolesForPrincipal.contains("ClusterAdmin"));
        ApiValidationUtil.verifySingletonAuthorizeCall(rbacRestApi, authorizeRequest, AuthorizeResult.ALLOWED);
        ApiValidationUtil.verifySingletonAuthorizeCall(rbacRestApi, new AuthorizeRequest(str, Collections.singletonList(new Action(Scope.kafkaClusterScope("KafkaA"), new ResourceType("Topic"), "TestTopic", new Operation("Create")))), AuthorizeResult.DENIED);
        Assert.assertEquals(204L, rbacRestApi.removeRoleForPrincipal(str, "ClusterAdmin", build).execute().code());
        ApiValidationUtil.verifyPrincipalHasNoRoles(rbacRestApi, str, build);
        ApiValidationUtil.verifySingletonAuthorizeCall(rbacRestApi, authorizeRequest, AuthorizeResult.DENIED);
    }

    @Test
    public void clusterScopeRoleDoesNotTakeResources() throws Throwable {
        String str = "User:" + ("TestUser-" + TestIndependenceUtil.getUniqueInteger());
        List singletonList = Collections.singletonList(new ResourcePattern(new ResourceType("Topic"), "clusterRoleCreatedTopic", PatternType.LITERAL));
        ApiValidationUtil.verifyPrincipalHasNoRoles(rbacRestApi, str, CLUSTER);
        Response execute = rbacRestApi.addRoleResourcesForPrincipal(str, "ClusterAdmin", new ResourcesRequest(new MdsScope(Scope.kafkaClusterScope(CLUSTER)), singletonList)).execute();
        if (execute.isSuccessful()) {
            Assert.fail("Should not have gotten a happy response.");
        } else {
            Assert.assertEquals(400L, execute.code());
            Assert.assertTrue(((ErrorResponse) MdsJsonUtil.deserializeJson(execute.errorBody().string(), new TypeReference<ErrorResponse>() { // from class: integration.rbacapi.api.v1.RbacClustersSmokeTest.2
            })).message.contains("Cannot grant resource role bindings to a cluster scoped role"));
        }
    }

    @Test
    public void aclManagementAPITest() throws Throwable {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", "TestUser-" + TestIndependenceUtil.getUniqueInteger());
        KafkaPrincipal kafkaPrincipal2 = new KafkaPrincipal("User", "TestUser-" + TestIndependenceUtil.getUniqueInteger());
        Scope kafkaClusterScope = Scope.kafkaClusterScope(CLUSTER);
        AuthorizeRequest authorizeRequest = new AuthorizeRequest(kafkaPrincipal.toString(), "192.168.9.1", Collections.singletonList(new Action(Scope.kafkaClusterScope(CLUSTER), new ResourceType("Topic"), "TopicA", new Operation("Read"))));
        ApiValidationUtil.verifySingletonAuthorizeCall(rbacRestApi, authorizeRequest, AuthorizeResult.DENIED);
        AclBinding aclBinding = new AclBinding(ResourcePattern.to(new ResourcePattern(new ResourceType("Topic"), "TopicA", PatternType.LITERAL)), new AclRule(kafkaPrincipal, PermissionType.ALLOW, "192.168.9.1", new Operation("Read")).toAccessControlEntry());
        Assert.assertEquals(204L, rbacRestApi.createAcls(new CreateAclRequest(kafkaClusterScope, aclBinding)).execute().code());
        ApiValidationUtil.verifySingletonAuthorizeCall(rbacRestApi, authorizeRequest, AuthorizeResult.ALLOWED);
        AclBinding aclBinding2 = new AclBinding(ResourcePattern.to(new ResourcePattern(new ResourceType("Topic"), "Topic", PatternType.PREFIXED)), new AclRule(kafkaPrincipal2, PermissionType.ALLOW, "*", new Operation("Read")).toAccessControlEntry());
        Assert.assertEquals(204L, rbacRestApi.createAcls(new CreateAclRequest(kafkaClusterScope, aclBinding2)).execute().code());
        ApiValidationUtil.verifySingletonAuthorizeCall(rbacRestApi, new AuthorizeRequest(kafkaPrincipal2.toString(), "192.168.9.1", Collections.singletonList(new Action(Scope.kafkaClusterScope(CLUSTER), new ResourceType("Topic"), "TopicA", new Operation("Read")))), AuthorizeResult.ALLOWED);
        AclBinding aclBinding3 = new AclBinding(ResourcePattern.to(new ResourcePattern(new ResourceType("Cluster"), "kafka-cluster", PatternType.LITERAL)), new AclRule(kafkaPrincipal2, PermissionType.ALLOW, "*", new Operation("All")).toAccessControlEntry());
        Assert.assertEquals(204L, rbacRestApi.createAcls(new CreateAclRequest(kafkaClusterScope, aclBinding3)).execute().code());
        HashSet hashSet = new HashSet();
        hashSet.add(aclBinding);
        hashSet.add(aclBinding2);
        hashSet.add(aclBinding3);
        Assert.assertEquals(hashSet, new HashSet(allBindings(rbacRestApi, kafkaClusterScope)));
        Assert.assertEquals(Collections.singleton(aclBinding), new HashSet((List) rbacRestApi.deleteAcls(new AclFilter(kafkaClusterScope, aclBinding.toFilter())).execute().body()));
        HashSet hashSet2 = new HashSet();
        hashSet2.add(aclBinding2);
        hashSet2.add(aclBinding3);
        Assert.assertEquals(hashSet2, new HashSet(allBindings(rbacRestApi, kafkaClusterScope)));
        Assert.assertEquals(hashSet2, new HashSet((List) rbacRestApi.deleteAcls(new AclFilter(kafkaClusterScope, AclBindingFilter.ANY)).execute().body()));
        Assert.assertTrue(allBindings(rbacRestApi, kafkaClusterScope).isEmpty());
    }

    public static List<AclBinding> allBindings(V1RbacRestApi v1RbacRestApi, Scope scope) throws IOException {
        return (List) v1RbacRestApi.describeAcls(new AclFilter(scope, AclBindingFilter.ANY)).execute().body();
    }
}
