package io.confluent.rbacapi;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import integration.rbacapi.api.v1.LookupTest;
import io.confluent.rbacapi.entities.ClusterAccessInfo;
import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.services.ClusterAccessProcessor;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.authorizer.Authorizer;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.rbac.RbacRoles;
import io.confluent.security.rbac.RoleBinding;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.mockito.ArgumentMatchers;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.MockitoAnnotations;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
import utils.RolesTestUtils;
import utils.ScopeBuilder;

/* loaded from: input_file:io/confluent/rbacapi/ClusterAccessProcessorTest.class */
public class ClusterAccessProcessorTest {
    private static final KafkaPrincipal USER_1 = new KafkaPrincipal("User", "user1");

    @Mock
    private AuthCache authCache;

    @Mock
    private Authorizer authorizer;
    private ClusterAccessProcessor clusterAccessProcessor;

    @BeforeMethod
    public void setup() {
        MockitoAnnotations.initMocks(this);
        Mockito.when(this.authCache.rbacRoles()).thenReturn(RbacRoles.loadDefaultPolicy(false));
        this.clusterAccessProcessor = new ClusterAccessProcessor(this.authCache);
    }

    @AfterMethod
    public void tearDown() {
        Mockito.reset(new Object[]{this.authCache, this.authorizer});
    }

    @Test
    public void testSecurityAdminAndResourceOwner() {
        MdsScope build = ScopeBuilder.withKafka("K1").build();
        Mockito.when(this.authCache.rbacRoleBindings((KafkaPrincipal) ArgumentMatchers.eq(USER_1), (Set) ArgumentMatchers.eq(ImmutableSet.of(build.scope())))).thenReturn(ImmutableSet.of(new RoleBinding(USER_1, RolesTestUtils.RESOURCE_OWNER_ROLE.name(), build.scope(), Collections.singletonList(literal("Topic", "kafka1_t1"))), new RoleBinding(USER_1, RolesTestUtils.SECURITY_ADMIN_ROLE.name(), build.scope(), Collections.emptyList())));
        ClusterAccessInfo process = this.clusterAccessProcessor.process(USER_1, build.scope());
        ((AuthCache) Mockito.verify(this.authCache, Mockito.times(1))).rbacRoleBindings(USER_1, ImmutableSet.of(build.scope()));
        Assert.assertThat(process, CoreMatchers.equalTo(new ClusterAccessInfo(ImmutableList.of("DescribeAccess"), ImmutableMap.of("Cluster", ImmutableList.of("DescribeAccess"), LookupTest.GROUP_TYPE, ImmutableList.of("DescribeAccess"), "Topic", ImmutableList.of("AlterAccess", "DescribeAccess"), "TransactionalId", ImmutableList.of("DescribeAccess")))));
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider
    public static Object[][] kafkaResourceTypes() {
        return new Object[]{new Object[]{"Cluster"}, new Object[]{LookupTest.GROUP_TYPE}, new Object[]{"Topic"}, new Object[]{"TransactionalId"}};
    }

    @Test(dataProvider = "kafkaResourceTypes")
    public void testResourceOwnerRole(String str) {
        MdsScope build = ScopeBuilder.withKafka("K1").build();
        Mockito.when(this.authCache.rbacRoleBindings((KafkaPrincipal) ArgumentMatchers.eq(USER_1), (Set) ArgumentMatchers.eq(ImmutableSet.of(build.scope())))).thenReturn(ImmutableSet.of(new RoleBinding(USER_1, RolesTestUtils.RESOURCE_OWNER_ROLE.name(), build.scope(), Collections.singletonList(literal(str, "kafka1_t1"))), new RoleBinding(USER_1, RolesTestUtils.RESOURCE_OWNER_ROLE.name(), build.scope(), Collections.singletonList(literal("BadResourceType", "pants")))));
        ClusterAccessInfo process = this.clusterAccessProcessor.process(USER_1, build.scope());
        ((AuthCache) Mockito.verify(this.authCache, Mockito.times(1))).rbacRoleBindings(USER_1, ImmutableSet.of(build.scope()));
        Assert.assertThat(process.getClusterAccess(), CoreMatchers.equalTo(ImmutableList.of()));
        HashSet hashSet = new HashSet((Collection) ImmutableSet.of("Topic", "Cluster", LookupTest.GROUP_TYPE, "TransactionalId"));
        Assert.assertThat(process.getResourcesAccess().keySet(), CoreMatchers.equalTo(hashSet));
        Assert.assertThat(process.getResourcesAccess().get(str), CoreMatchers.equalTo(ImmutableList.of("AlterAccess", "DescribeAccess")));
        hashSet.remove(str);
        hashSet.forEach(str2 -> {
            Assert.assertThat(process.getResourcesAccess().get(str2), CoreMatchers.equalTo(ImmutableList.of()));
        });
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider
    public static Object[][] kafkaClusterRoleData() {
        return new Object[]{new Object[]{"SystemAdmin", ImmutableList.of("AlterAccess", "DescribeAccess")}, new Object[]{"UserAdmin", ImmutableList.of("AlterAccess", "DescribeAccess")}, new Object[]{"SecurityAdmin", ImmutableList.of("DescribeAccess")}, new Object[]{"ClusterAdmin", ImmutableList.of()}, new Object[]{"Operator", ImmutableList.of()}};
    }

    @Test(dataProvider = "kafkaClusterRoleData")
    public void testClusterScopedRole(String str, List<String> list) {
        MdsScope build = ScopeBuilder.withKafka("K1").build();
        Mockito.when(this.authCache.rbacRoleBindings((KafkaPrincipal) ArgumentMatchers.eq(USER_1), (Set) ArgumentMatchers.eq(ImmutableSet.of(build.scope())))).thenReturn(ImmutableSet.of(new RoleBinding(USER_1, str, build.scope(), Collections.emptyList())));
        ClusterAccessInfo process = this.clusterAccessProcessor.process(USER_1, build.scope());
        ((AuthCache) Mockito.verify(this.authCache, Mockito.times(1))).rbacRoleBindings(USER_1, ImmutableSet.of(build.scope()));
        Assert.assertThat(process.getClusterAccess(), CoreMatchers.equalTo(list));
        ImmutableSet of = ImmutableSet.of("Topic", "Cluster", LookupTest.GROUP_TYPE, "TransactionalId");
        Assert.assertThat(process.getResourcesAccess().keySet(), CoreMatchers.equalTo(of));
        of.forEach(str2 -> {
            Assert.assertThat(process.getResourcesAccess().get(str2), CoreMatchers.equalTo(list));
        });
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider
    public static Object[][] emptyScopeData() {
        return new Object[]{new Object[]{ScopeBuilder.withKafka("K1").build(), ImmutableSet.of("Topic", "Cluster", LookupTest.GROUP_TYPE, "TransactionalId")}, new Object[]{ScopeBuilder.withKafka("K1").withConnect("C1").build(), ImmutableSet.of("Connector")}, new Object[]{ScopeBuilder.withKafka("K1").withSR("S1").build(), ImmutableSet.of("Subject", "Kek")}, new Object[]{ScopeBuilder.withKafka("K1").withKSQL("ksql1").build(), ImmutableSet.of("KsqlCluster")}};
    }

    @Test(dataProvider = "emptyScopeData")
    public void testNoopResults(MdsScope mdsScope, Set<String> set) {
        Mockito.when(this.authCache.rbacRoleBindings((KafkaPrincipal) ArgumentMatchers.eq(USER_1), (Set) ArgumentMatchers.eq(ImmutableSet.of(mdsScope.scope())))).thenReturn(ImmutableSet.of());
        ClusterAccessInfo process = this.clusterAccessProcessor.process(USER_1, mdsScope.scope());
        ((AuthCache) Mockito.verify(this.authCache, Mockito.times(1))).rbacRoleBindings(USER_1, ImmutableSet.of(mdsScope.scope()));
        Assert.assertThat(process.getClusterAccess(), CoreMatchers.equalTo(ImmutableList.of()));
        Assert.assertThat(process.getResourcesAccess().keySet(), CoreMatchers.equalTo(set));
    }

    private ResourcePattern literal(String str, String str2) {
        return new ResourcePattern(str, str2, PatternType.LITERAL);
    }
}
