package integration.rbacapi.configuration;

import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.auth.client.provider.BuiltInAuthProviders;
import io.confluent.security.auth.client.rest.exceptions.RestClientException;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.testing.TestIndependenceUtil;
import io.confluent.testing.ldap.client.ExampleComLdapCrud;
import io.confluent.testing.ldap.client.LdapCrud;
import io.confluent.testing.ldap.server.LdapServer;
import java.lang.reflect.Method;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import javax.xml.bind.DatatypeConverter;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.testng.Assert;
import org.testng.ITest;
import org.testng.annotations.AfterClass;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Factory;
import org.testng.annotations.Test;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;
import utils.QuorumTestInfo;

@Test(groups = {"classParallelTests"})
/* loaded from: input_file:integration/rbacapi/configuration/LdapLoginIntegrationTest.class */
public class LdapLoginIntegrationTest implements ITest {
    private static final String BROKER_USER = "kafka";
    private LdapCrud ldapCrud;
    private LdapServer ldapServer;
    private int actualLdapPort;
    private RbacClusters rbacClusters;
    private String quorum;
    private int mdsTestPort = MdsTestUtil.getUniqueishMdsPort();
    private ThreadLocal<String> testName = new ThreadLocal<>();

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider
    public static Object[][] quorums() {
        return new Object[]{new Object[]{"zk"}, new Object[]{"kraft"}, new Object[]{"kraft_combined"}};
    }

    @Factory(dataProvider = "quorums")
    public LdapLoginIntegrationTest(String str) {
        this.quorum = str;
    }

    @BeforeClass
    public void setupClass() {
        this.ldapServer = LdapServer.defaultServerNoUsers().start();
        this.actualLdapPort = this.ldapServer.actualPort();
        this.ldapCrud = new ExampleComLdapCrud(this.actualLdapPort);
    }

    @AfterClass
    public void teardownClass() {
        this.ldapServer.stop();
    }

    @AfterMethod
    public void tearDown() throws InterruptedException {
        int lookupActualMdsPort = MdsTestUtil.lookupActualMdsPort(this.rbacClusters);
        this.rbacClusters.shutdown();
        MdsTestUtil.releasePort(lookupActualMdsPort);
    }

    @Test
    public void testLdapAuthenticationUsingBind() throws Exception {
        this.rbacClusters = new RbacClusters(KafkaConfigTool.justLDAPv1(this.actualLdapPort, this.mdsTestPort, "kafka"), new QuorumTestInfo(this.quorum));
        int lookupActualMdsPort = MdsTestUtil.lookupActualMdsPort(this.rbacClusters);
        String str = "testUser-" + TestIndependenceUtil.getUniqueInteger();
        String str2 = str + "-password";
        this.ldapCrud.createUser(str, str2);
        this.rbacClusters.assignRole("User", str, "ResourceOwner", this.rbacClusters.metadataClusterId(), Collections.singleton(new ResourcePattern("Topic", "TestTopic", PatternType.LITERAL)));
        verifyClientAuthentication(lookupActualMdsPort, str, str2);
        verifyBadPasswordFailure(lookupActualMdsPort, str, "invalid", "with an invalid password");
        verifyBadPasswordFailure(lookupActualMdsPort, str, "", "with an empty string password");
        String str3 = "testUser-" + TestIndependenceUtil.getUniqueInteger();
        String str4 = str3 + "-password";
        this.ldapCrud.createUser(str3, encryptLdapPassword(str4));
        this.rbacClusters.assignRole("User", str3, "ResourceOwner", this.rbacClusters.metadataClusterId(), Collections.singleton(new ResourcePattern("Topic", "TestTopic", PatternType.LITERAL)));
        verifyClientAuthentication(lookupActualMdsPort, str3, str4);
        verifyBadPasswordFailure(lookupActualMdsPort, str3, "invalid", "with an invalid password");
        verifyBadPasswordFailure(lookupActualMdsPort, str3, "", "with an empty string password");
    }

    @Test
    public void testLdapAuthenticationUsingPasswordSearch() throws Exception {
        this.rbacClusters = new RbacClusters(KafkaConfigTool.justLDAPv1(this.actualLdapPort, this.mdsTestPort, "kafka").overrideMetadataBrokerConfig("ldap.user.password.attribute", "userPassword"), new QuorumTestInfo(this.quorum));
        int lookupActualMdsPort = MdsTestUtil.lookupActualMdsPort(this.rbacClusters);
        String str = "testUser-" + TestIndependenceUtil.getUniqueInteger();
        String str2 = str + "-password";
        this.ldapCrud.createUser(str, str2);
        this.rbacClusters.assignRole("User", str, "ResourceOwner", this.rbacClusters.metadataClusterId(), Collections.singleton(new ResourcePattern("Topic", "TestTopic", PatternType.LITERAL)));
        verifyClientAuthentication(lookupActualMdsPort, str, str2);
        verifyBadPasswordFailure(lookupActualMdsPort, str, "invalid", "with an invalid password");
        verifyBadPasswordFailure(lookupActualMdsPort, str, "", "with an empty string password");
        String str3 = "testUser-" + TestIndependenceUtil.getUniqueInteger();
        String str4 = str3 + "-password";
        this.ldapCrud.createUser(str3, encryptLdapPassword(str4));
        this.rbacClusters.assignRole("User", str3, "ResourceOwner", this.rbacClusters.metadataClusterId(), Collections.singleton(new ResourcePattern("Topic", "TestTopic", PatternType.LITERAL)));
        verifyClientAuthentication(lookupActualMdsPort, str3, str4);
        verifyBadPasswordFailure(lookupActualMdsPort, str3, "invalid", "with an invalid password");
        verifyBadPasswordFailure(lookupActualMdsPort, str3, "", "with an empty string password");
    }

    private void verifyClientAuthentication(int i, String str, String str2) throws Exception {
        RestAuthorizer createClient = createClient(i, str, str2);
        Throwable th = null;
        try {
            try {
                List authorize = createClient.authorize(new KafkaPrincipal("User", str), "", Arrays.asList(new Action(Scope.kafkaClusterScope(this.rbacClusters.metadataClusterId()), new ResourceType("Topic"), "TestTopic", new Operation("Write")), new Action(Scope.kafkaClusterScope(this.rbacClusters.metadataClusterId()), new ResourceType("Topic"), "SensitiveTopic", new Operation("Write"))));
                Assert.assertEquals(2, authorize.size());
                Assert.assertEquals(AuthorizeResult.ALLOWED, authorize.get(0));
                Assert.assertEquals(AuthorizeResult.DENIED, authorize.get(1));
                if (createClient != null) {
                    if (0 == 0) {
                        createClient.close();
                        return;
                    }
                    try {
                        createClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (createClient != null) {
                if (th != null) {
                    try {
                        createClient.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    createClient.close();
                }
            }
            throw th4;
        }
    }

    private static void verifyBadPasswordFailure(int i, String str, String str2, String str3) {
        try {
            RestAuthorizer createClient = createClient(i, str, str2);
            Throwable th = null;
            try {
                createClient.authorize(new KafkaPrincipal("User", str), "http://myMDShost.com", Arrays.asList(new Action(Scope.kafkaClusterScope("clusterID"), new ResourceType("Topic"), "SensitiveTopic", new Operation("Write"))));
                Assert.fail("Should not have been able to make a successful call with RestAuthorizer because : " + str3);
                if (createClient != null) {
                    if (0 != 0) {
                        try {
                            createClient.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        createClient.close();
                    }
                }
            } catch (Throwable th3) {
                if (createClient != null) {
                    if (0 != 0) {
                        try {
                            createClient.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        createClient.close();
                    }
                }
                throw th3;
            }
        } catch (RuntimeException e) {
            org.junit.Assert.assertTrue(e.getCause() instanceof RestClientException);
            org.junit.Assert.assertEquals(401L, r0.errorCode());
        } catch (Exception e2) {
            Assert.fail("Unexpected exception thrown from RestAuthorizer of type:" + e2.getClass().getSimpleName());
        }
    }

    private static RestAuthorizer createClient(int i, String str, String str2) {
        HashMap hashMap = new HashMap();
        hashMap.put("confluent.metadata.bootstrap.server.urls", MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + i);
        hashMap.put("confluent.metadata.http.auth.credentials.provider", BuiltInAuthProviders.HttpCredentialProviders.BASIC.name());
        hashMap.put("confluent.metadata.basic.auth.user.info", String.format("%s:%s", str, str2));
        hashMap.put("confluent.metadata.basic.auth.credentials.provider", BuiltInAuthProviders.BasicAuthCredentialProviders.USER_INFO.name());
        hashMap.put("confluent.metadata.request.timeout.ms", 2000);
        hashMap.put("confluent.metadata.http.request.timeout.ms", 500);
        RestAuthorizer restAuthorizer = new RestAuthorizer();
        restAuthorizer.configure(hashMap);
        return restAuthorizer;
    }

    private static String encryptLdapPassword(String str) throws Exception {
        return "{MD5}" + DatatypeConverter.printBase64Binary(MessageDigest.getInstance("MD5").digest(str.getBytes(StandardCharsets.UTF_8)));
    }

    public String getTestName() {
        return this.testName.get();
    }

    @BeforeMethod
    public void updateDisplayName(Method method, Object[] objArr) {
        this.testName.set(method.getName() + "_" + this.quorum);
    }
}
