package integration.rbacapi.api.v1;

import io.confluent.rbacapi.entities.AuthorizeRequest;
import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.entities.ResourcesRequest;
import io.confluent.rbacapi.retrofit.v1.V1RbacRestApi;
import io.confluent.rbacapi.retrofit.v1.V1RbacRetrofitFactory;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.test.utils.RbacClusters;
import java.io.IOException;
import java.lang.reflect.Method;
import java.net.ConnectException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.ws.rs.client.ClientBuilder;
import org.apache.kafka.common.resource.PatternType;
import org.awaitility.Awaitility;
import org.junit.Assert;
import org.testng.ITest;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Factory;
import org.testng.annotations.Test;
import retrofit2.Response;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;
import utils.QuorumTestInfo;
import utils.ScopeBuilder;

@Test(groups = {"classParallelTests"})
/* loaded from: input_file:integration/rbacapi/api/v1/ResourceOwnerTest.class */
public class ResourceOwnerTest implements ITest {
    private static final String BROKER_SUPER_USER = "kafka";
    private RbacClusters rbacClusters;
    private int actualMdsPort;
    private String kafkaClusterId;
    private static final String ROOT_USER_ADMIN = "root_user-admin";
    private static final String ROOT_RESOURCE_OWNER = "root_resource_owner";
    private static final String CHILD_RESOURCE_OWNER = "child_resource_owner";
    private static final String CLONE_DEVELOPER = "clone_developer";
    private static final String CLONE_RESOURCE_OWNER = "clone_resource_owner";
    private static final String CLONE_CLONE_RESOURCE_OWNER = "clone_of_clone_resource_owner";
    private MdsScope kafkaClusterScope;
    private MdsScope ksqlClusterScope;
    private List<Action> ROOT_KAFKA_ACTIONS;
    private static final List<ResourcePattern> ROOT_KAFKA_PATTERNS = Arrays.asList(new ResourcePattern("Topic", "ramen-", PatternType.PREFIXED), new ResourcePattern("Topic", "sushi-", PatternType.PREFIXED), new ResourcePattern("Topic", "gyoza-pork", PatternType.LITERAL), new ResourcePattern(LookupTest.GROUP_TYPE, "*", PatternType.LITERAL), new ResourcePattern("Cluster", "kafka-cluster", PatternType.LITERAL));
    private static List<ResourcePattern> ROOT_KSQL_PATTERNS = Collections.singletonList(new ResourcePattern("KsqlCluster", "ksql-cluster", PatternType.LITERAL));
    private String quorum;
    private final Map<String, V1RbacRestApi> retrofitClients = new HashMap();
    private ResourceType topicRT = new ResourceType("Topic");
    private ResourceType groupRT = new ResourceType(LookupTest.GROUP_TYPE);
    private ResourceType clusterRT = new ResourceType("Cluster");
    private Operation readOp = new Operation("Read");
    private Operation describeConfigsOp = new Operation("DescribeConfigs");
    private ThreadLocal<String> testName = new ThreadLocal<>();

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider
    public static Object[][] quorums() {
        return new Object[]{new Object[]{"zk"}, new Object[]{"kraft"}, new Object[]{"kraft_combined"}};
    }

    @Factory(dataProvider = "quorums")
    public ResourceOwnerTest(String str) {
        this.quorum = str;
    }

    @BeforeClass
    public void setUp() throws Exception {
        List<String> asList = Arrays.asList("kafka", ROOT_USER_ADMIN, ROOT_RESOURCE_OWNER, CHILD_RESOURCE_OWNER, CLONE_RESOURCE_OWNER, CLONE_DEVELOPER, CLONE_CLONE_RESOURCE_OWNER);
        this.rbacClusters = new RbacClusters(KafkaConfigTool.justHash("kafka", asList), new QuorumTestInfo(this.quorum));
        this.actualMdsPort = MdsTestUtil.lookupActualMdsPort(this.rbacClusters);
        this.kafkaClusterId = this.rbacClusters.metadataClusterId();
        this.kafkaClusterScope = new MdsScope(Scope.kafkaClusterScope(this.kafkaClusterId));
        this.ksqlClusterScope = ScopeBuilder.withKafka(this.kafkaClusterId).withKSQL("ksqlId").build();
        this.ROOT_KAFKA_ACTIONS = Arrays.asList(new Action(this.kafkaClusterScope.scope(), this.topicRT, "ramen-shoyu", this.readOp), new Action(this.kafkaClusterScope.scope(), this.topicRT, "sushi-nigiri-tuna", this.readOp), new Action(this.kafkaClusterScope.scope(), this.topicRT, "gyoza-pork", this.readOp), new Action(this.kafkaClusterScope.scope(), this.groupRT, "SushiConsumer", this.readOp), new Action(this.kafkaClusterScope.scope(), this.clusterRT, "kafka-cluster", this.describeConfigsOp), new Action(this.kafkaClusterScope.scope(), this.topicRT, "bentobox-salmon", this.readOp), new Action(this.kafkaClusterScope.scope(), this.topicRT, "gyoza-veggie", this.readOp));
        for (String str : asList) {
            this.retrofitClients.put(str, V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str, str));
        }
        Awaitility.given().ignoreException(ConnectException.class).await().atMost(30L, TimeUnit.SECONDS).until(() -> {
            return Boolean.valueOf(this.retrofitClients.get(ROOT_USER_ADMIN).getRoleNames().execute().isSuccessful());
        });
        V1RbacRestApi v1RbacRestApi = this.retrofitClients.get("kafka");
        Assert.assertTrue(v1RbacRestApi.addClusterRoleForPrincipal("User:root_user-admin", "UserAdmin", this.kafkaClusterScope).execute().isSuccessful());
        Assert.assertTrue(v1RbacRestApi.addClusterRoleForPrincipal("User:root_user-admin", "UserAdmin", this.ksqlClusterScope).execute().isSuccessful());
        Assert.assertEquals("Should have setup the ROOT_RESOURCE_OWNER", 204L, this.retrofitClients.get(ROOT_USER_ADMIN).addRoleResourcesForPrincipal("User:root_resource_owner", "ResourceOwner", new ResourcesRequest(this.kafkaClusterScope, ROOT_KAFKA_PATTERNS)).execute().code());
        Assert.assertEquals("Should have setup the ROOT_RESOURCE_OWNER", 204L, this.retrofitClients.get(ROOT_USER_ADMIN).addRoleResourcesForPrincipal("User:root_resource_owner", "ResourceOwner", new ResourcesRequest(this.ksqlClusterScope, ROOT_KSQL_PATTERNS)).execute().code());
    }

    @AfterClass
    public void tearDown() {
        this.rbacClusters.shutdown();
        MdsTestUtil.releasePort(this.actualMdsPort);
    }

    @Test
    public void verifySwaggerIsNOTNormallyAvailable() {
        Assert.assertEquals(404L, ClientBuilder.newClient().target(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + this.actualMdsPort).path("/security/openapi/swagger-ui/index.html").request().get().getStatus());
    }

    @Test
    public void sanityTest_RetroFitBasicAuth() throws IOException {
        Assert.assertNotNull(V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, ROOT_USER_ADMIN, ROOT_USER_ADMIN).getRoles().execute());
        Assert.assertEquals(200L, r0.code());
    }

    @Test
    public void sanityTest_ResourceOwnerAuthorization() throws Throwable {
        Response execute = this.retrofitClients.get(ROOT_RESOURCE_OWNER).authorize(new AuthorizeRequest("User:root_resource_owner", this.ROOT_KAFKA_ACTIONS)).execute();
        Assert.assertEquals(200L, execute.code());
        List list = (List) execute.body();
        Assert.assertEquals(7L, list.size());
        Assert.assertEquals(AuthorizeResult.ALLOWED, list.get(0));
        Assert.assertEquals(AuthorizeResult.ALLOWED, list.get(1));
        Assert.assertEquals(AuthorizeResult.ALLOWED, list.get(2));
        Assert.assertEquals(AuthorizeResult.ALLOWED, list.get(3));
        Assert.assertEquals(AuthorizeResult.ALLOWED, list.get(4));
        Assert.assertEquals(AuthorizeResult.DENIED, list.get(5));
        Assert.assertEquals(AuthorizeResult.DENIED, list.get(6));
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(parallel = true)
    public static Object[][] clusterRoles() {
        return new Object[]{new Object[]{"SystemAdmin"}, new Object[]{"UserAdmin"}, new Object[]{"ClusterAdmin"}, new Object[]{"Operator"}, new Object[]{"SecurityAdmin"}};
    }

    @Test(dataProvider = "clusterRoles")
    public void resourceOwner_withClusterResource_CannotGrantClusterScopeRole_againstKafka(String str) throws Throwable {
        Response execute = this.retrofitClients.get(ROOT_RESOURCE_OWNER).authorize(new AuthorizeRequest("User:root_resource_owner", Collections.singletonList(new Action(this.kafkaClusterScope.scope(), new ResourcePattern("Cluster", "kafka-cluster", PatternType.LITERAL), new Operation("DescribeConfigs"))))).execute();
        Assert.assertEquals(200L, execute.code());
        Assert.assertEquals(AuthorizeResult.ALLOWED, ((List) execute.body()).get(0));
        Response execute2 = this.retrofitClients.get(ROOT_RESOURCE_OWNER).addClusterRoleForPrincipal("User:Chuck", str, this.kafkaClusterScope).execute();
        Assert.assertFalse(execute2.isSuccessful());
        Assert.assertEquals(403L, execute2.code());
        Assert.assertTrue(execute2.errorBody().string().contains("not permitted"));
    }

    @Test(dataProvider = "clusterRoles")
    public void resourceOwner_withClusterResource_CannotGrantClusterScopeRole_againstKsql(String str) throws Throwable {
        Response execute = this.retrofitClients.get(ROOT_RESOURCE_OWNER).authorize(new AuthorizeRequest("User:root_resource_owner", Collections.singletonList(new Action(this.ksqlClusterScope.scope(), new ResourcePattern("KsqlCluster", "ksql-cluster", PatternType.LITERAL), new Operation("Contribute"))))).execute();
        Assert.assertEquals(200L, execute.code());
        Assert.assertEquals(AuthorizeResult.ALLOWED, ((List) execute.body()).get(0));
        Response execute2 = this.retrofitClients.get(ROOT_RESOURCE_OWNER).addClusterRoleForPrincipal("User:Chuck", str, this.ksqlClusterScope).execute();
        Assert.assertFalse(execute2.isSuccessful());
        Assert.assertEquals(403L, execute2.code());
        Assert.assertTrue(execute2.errorBody().string().contains("not permitted"));
    }

    @Test(dataProvider = "clusterRoles")
    public void resourceOwnerCannotGrantClusterScopeRole_withResources_againstKafka(String str) throws Throwable {
        Response execute = this.retrofitClients.get(ROOT_RESOURCE_OWNER).addRoleResourcesForPrincipal("User:Chuck", str, new ResourcesRequest(this.kafkaClusterScope, Collections.singletonList(new ResourcePattern("Cluster", "kafka-cluster", PatternType.LITERAL)))).execute();
        Assert.assertFalse(execute.isSuccessful());
        Assert.assertEquals(400L, execute.code());
        String string = execute.errorBody().string();
        Assert.assertTrue(string.contains("Cannot grant resource role bindings to a cluster scoped role") || string.contains("No role"));
    }

    @Test(dataProvider = "clusterRoles")
    public void resourceOwnerCannotGrantClusterScopeRole_withResources_againstKsql(String str) throws Throwable {
        Response execute = this.retrofitClients.get(ROOT_RESOURCE_OWNER).addRoleResourcesForPrincipal("User:Chuck", str, new ResourcesRequest(this.ksqlClusterScope, Collections.singletonList(new ResourcePattern("KsqlCluster", "ksql-cluster", PatternType.LITERAL)))).execute();
        Assert.assertFalse(execute.isSuccessful());
        Assert.assertEquals(400L, execute.code());
        String string = execute.errorBody().string();
        Assert.assertTrue(string.contains("Cannot grant resource role bindings to a cluster scoped role") || string.contains("No role"));
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(parallel = true)
    public static Object[][] overlyBroadResourcePatterns() {
        return new Object[]{new Object[]{"Fail to go from prefix grant to *", new ResourcePattern("Topic", "*", PatternType.LITERAL)}, new Object[]{"Fail to prefix grant higher than allowed", new ResourcePattern("Topic", "sushi", PatternType.PREFIXED)}, new Object[]{"Fail to turn literal grant into prefix", new ResourcePattern("Topic", "gyoza-pork", PatternType.PREFIXED)}, new Object[]{"Fail to grant similar literal ", new ResourcePattern("Topic", "gyoza-veggie", PatternType.LITERAL)}};
    }

    @Test(dataProvider = "overlyBroadResourcePatterns")
    public void resourceOwnerCannotGrantOutsideItsGrants(String str, ResourcePattern resourcePattern) throws Throwable {
        Assert.assertFalse(this.retrofitClients.get(ROOT_RESOURCE_OWNER).addRoleResourcesForPrincipal("User:NoSoupForYou", "ResourceOwner", new ResourcesRequest(new MdsScope(Scope.kafkaClusterScope(this.kafkaClusterId)), Collections.singletonList(resourcePattern))).execute().isSuccessful());
        Assert.assertEquals(403L, r0.code());
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(parallel = true)
    public static Object[][] narrowerResourcePatterns() {
        return new Object[]{new Object[]{"Narrow from prefix to literal", new ResourcePattern("Topic", "ramen-", PatternType.LITERAL)}, new Object[]{"Narrow a prefix", new ResourcePattern("Topic", "sushi-nigiri-", PatternType.PREFIXED)}, new Object[]{"Narrow a prefix to literal ", new ResourcePattern("Topic", "sushi-roll-salmon", PatternType.LITERAL)}, new Object[]{"Narrow * to prefix", new ResourcePattern(LookupTest.GROUP_TYPE, "Sushi", PatternType.PREFIXED)}};
    }

    @Test(dataProvider = "narrowerResourcePatterns")
    public void resourceOwnerCanNarrowGrants(String str, ResourcePattern resourcePattern) throws Throwable {
        Assert.assertTrue(this.retrofitClients.get(ROOT_RESOURCE_OWNER).addRoleResourcesForPrincipal("User:child_resource_owner", "ResourceOwner", new ResourcesRequest(new MdsScope(Scope.kafkaClusterScope(this.kafkaClusterId)), Collections.singletonList(resourcePattern))).execute().isSuccessful());
        Assert.assertEquals(204L, r0.code());
        Response execute = this.retrofitClients.get(ROOT_RESOURCE_OWNER).authorize(new AuthorizeRequest("User:child_resource_owner", Collections.singletonList(new Action(this.kafkaClusterScope.scope(), resourcePattern.resourceType(), resourcePattern.name(), this.readOp)))).execute();
        Assert.assertEquals(200L, execute.code());
        List list = (List) execute.body();
        Assert.assertEquals(1L, list.size());
        Assert.assertEquals(AuthorizeResult.ALLOWED, list.get(0));
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider
    public static Object[][] cloneUsersAndRoles() {
        return new Object[]{new Object[]{ROOT_RESOURCE_OWNER, CLONE_RESOURCE_OWNER, "ResourceOwner"}, new Object[]{ROOT_RESOURCE_OWNER, CLONE_DEVELOPER, "DeveloperRead"}, new Object[]{CLONE_RESOURCE_OWNER, CLONE_CLONE_RESOURCE_OWNER, "ResourceOwner"}};
    }

    @Test(dataProvider = "cloneUsersAndRoles")
    public void resourceOwnerCanCloneItself(String str, String str2, String str3) throws Throwable {
        Assert.assertEquals("Should have setup " + str2, 204L, this.retrofitClients.get(str).addRoleResourcesForPrincipal("User:" + str2, str3, new ResourcesRequest(new MdsScope(Scope.kafkaClusterScope(this.kafkaClusterId)), ROOT_KAFKA_PATTERNS)).execute().code());
        Response execute = this.retrofitClients.get(str2).authorize(new AuthorizeRequest("User:" + str2, this.ROOT_KAFKA_ACTIONS)).execute();
        Assert.assertEquals(200L, execute.code());
        List list = (List) execute.body();
        Assert.assertEquals(7L, list.size());
        Assert.assertEquals(AuthorizeResult.ALLOWED, list.get(0));
        Assert.assertEquals(AuthorizeResult.ALLOWED, list.get(1));
        Assert.assertEquals(AuthorizeResult.ALLOWED, list.get(2));
        Assert.assertEquals(AuthorizeResult.ALLOWED, list.get(3));
        if ("ResourceOwner".equals(str3)) {
            Assert.assertEquals(AuthorizeResult.ALLOWED, list.get(4));
        } else {
            Assert.assertEquals(AuthorizeResult.DENIED, list.get(4));
        }
        Assert.assertEquals(AuthorizeResult.DENIED, list.get(5));
        Assert.assertEquals(AuthorizeResult.DENIED, list.get(6));
    }

    public String getTestName() {
        return this.testName.get();
    }

    @BeforeMethod
    public void updateDisplayName(Method method, Object[] objArr) {
        this.testName.set(method.getName() + "_" + this.quorum);
    }
}
