package io.confluent.rbacapi;

import io.confluent.kafka.test.utils.KafkaTestUtils;
import io.confluent.rbacapi.authorizer.SecurityMetadataAuthorizer;
import io.confluent.security.auth.store.cache.DefaultAuthCache;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.EmbeddedAuthorizer;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.PermissionType;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourcePatternFilter;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.acl.AclRule;
import io.confluent.security.test.utils.RbacTestUtils;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Set;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.errors.AuthorizationException;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo;
import org.eclipse.jetty.security.AbstractLoginService;
import org.eclipse.jetty.util.security.Credential;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.MockitoAnnotations;

/* loaded from: input_file:io/confluent/rbacapi/SecurityMetadataAuthorizerTest.class */
public class SecurityMetadataAuthorizerTest {

    @Mock
    private SecurityContext aliceContext;

    @Mock
    private SecurityContext bobContext;
    private final Scope clusterA = new Scope.Builder(new String[]{"testOrg"}).withKafkaCluster("clusterA").build();
    private final Scope clusterB = new Scope.Builder(new String[]{"testOrg"}).withKafkaCluster("clusterB").build();
    private final Scope metadataCluster = new Scope.Builder(new String[]{"testOrg"}).withKafkaCluster("metadataCluster").build();
    private final KafkaPrincipal alice = new KafkaPrincipal("User", "Alice");
    private final KafkaPrincipal bob = new KafkaPrincipal("User", "Bob");
    private final ResourcePattern topicResource = new ResourcePattern(new ResourceType("Topic"), "testtopic", PatternType.LITERAL);
    private final ResourcePattern topicPrefix = new ResourcePattern(new ResourceType("Topic"), "test", PatternType.PREFIXED);
    private final List<Action> topicRead = Collections.singletonList(new Action(this.clusterA, new ResourceType("Topic"), "testtopic", new Operation("Read")));
    private final List<Action> topicWrite = Collections.singletonList(new Action(this.clusterA, new ResourceType("Topic"), "testtopic", new Operation("Write")));
    private EmbeddedAuthorizer embeddedAuthorizer;
    private DefaultAuthCache authCache;
    private SecurityMetadataAuthorizer metadataAuthorizer;

    @Before
    public void setUp() throws Exception {
        MockitoAnnotations.initMocks(this);
        Mockito.when(this.aliceContext.getUserPrincipal()).thenReturn(new AbstractLoginService.UserPrincipal("Alice", (Credential) null));
        Mockito.when(this.bobContext.getUserPrincipal()).thenReturn(new AbstractLoginService.UserPrincipal("Bob", (Credential) null));
        this.embeddedAuthorizer = new EmbeddedAuthorizer();
        HashMap hashMap = new HashMap();
        hashMap.put("confluent.authorizer.access.rule.providers", "MOCK_RBAC");
        hashMap.put("confluent.metadata.server.listeners", "http://127.0.0.1:8090");
        hashMap.put("bootstrap.servers", "localhost:9092");
        hashMap.put("confluent.security.event.logger.exporter.kafka.topic.create", "false");
        this.embeddedAuthorizer.configure(hashMap);
        ConfluentAuthorizerServerInfo serverInfo = KafkaTestUtils.serverInfo("clusterA", new SecurityProtocol[]{SecurityProtocol.PLAINTEXT});
        this.embeddedAuthorizer.configureServerInfo(serverInfo);
        this.embeddedAuthorizer.start(serverInfo, () -> {
        }).get();
        this.authCache = this.embeddedAuthorizer.accessRuleProvider("MOCK_RBAC").authStore().authCache();
        this.metadataAuthorizer = new SecurityMetadataAuthorizer(this.embeddedAuthorizer, this.metadataCluster);
    }

    @After
    public void tearDown() throws Exception {
        if (this.embeddedAuthorizer != null) {
            this.embeddedAuthorizer.close();
        }
        KafkaTestUtils.verifyThreadCleanup();
    }

    @Test
    public void testAuthorizeRequest() throws Exception {
        RbacTestUtils.updateRoleBinding(this.authCache, this.alice, "DeveloperRead", this.clusterA, Collections.singleton(this.topicResource));
        List asList = Arrays.asList(new Action(this.clusterA, new ResourceType("Topic"), "sometopic", new Operation("Read")), new Action(this.clusterA, new ResourceType("Topic"), "testtopic", new Operation("Read")), new Action(this.clusterA, new ResourceType("Topic"), "sometopic", new Operation("Describe")), new Action(this.clusterA, new ResourceType("Topic"), "testtopic", new Operation("Describe")));
        this.metadataAuthorizer.authorizeAuthorizeRequest(this.aliceContext, this.alice, asList);
        this.metadataAuthorizer.authorizeAuthorizeRequest(this.bobContext, this.bob, asList);
        verifyAuthorizationFailure(() -> {
            this.metadataAuthorizer.authorizeAuthorizeRequest(this.aliceContext, this.bob, asList);
        });
        RbacTestUtils.updateRoleBinding(this.authCache, this.alice, "UserAdmin", this.clusterA, Collections.emptySet());
        this.metadataAuthorizer.authorizeAuthorizeRequest(this.aliceContext, this.bob, asList);
        verifyAuthorizationFailure(() -> {
            this.metadataAuthorizer.authorizeAuthorizeRequest(this.bobContext, this.alice, asList);
        });
    }

    @Test
    public void testResourceOwnerAuthorize() throws Exception {
        RbacTestUtils.updateRoleBinding(this.authCache, this.alice, "ResourceOwner", this.clusterA, Collections.singleton(this.topicPrefix));
        this.metadataAuthorizer.authorizeAuthorizeRequest(this.aliceContext, this.alice, this.topicRead);
        this.metadataAuthorizer.authorizeAuthorizeRequest(this.aliceContext, this.bob, this.topicWrite);
        List asList = Arrays.asList(new Action(this.clusterA, new ResourceType("Topic"), "sometopic", new Operation("Read")), new Action(this.clusterA, new ResourceType("Topic"), "testtopic", new Operation("Read")), new Action(this.clusterA, new ResourceType("Topic"), "sometopic", new Operation("DescribeConfigs")), new Action(this.clusterA, new ResourceType("Topic"), "testtopic", new Operation("DescribeConfigs")));
        this.metadataAuthorizer.authorizeAuthorizeRequest(this.aliceContext, this.alice, asList);
        this.metadataAuthorizer.authorizeAuthorizeRequest(this.bobContext, this.bob, asList);
        verifyAuthorizationFailure(() -> {
            this.metadataAuthorizer.authorizeAuthorizeRequest(this.bobContext, this.alice, asList);
        });
        verifyAuthorizationFailure(() -> {
            this.metadataAuthorizer.authorizeAuthorizeRequest(this.aliceContext, this.bob, asList);
        });
    }

    @Test(expected = IllegalArgumentException.class)
    public void testPrefixedResourceAuthorize() throws Exception {
        this.metadataAuthorizer.authorizeAuthorizeRequest(this.aliceContext, this.bob, Collections.singletonList(new Action(this.clusterA, this.topicPrefix, new Operation("Read"))));
    }

    @Test
    public void testSecurityMetadataAccess() throws Exception {
        verifyAuthorizationFailure(() -> {
            this.metadataAuthorizer.authorizeSecurityMetadataAccess(this.aliceContext, this.clusterA, SecurityMetadataAuthorizer.DESCRIBE);
        });
        RbacTestUtils.updateRoleBinding(this.authCache, this.alice, "UserAdmin", this.clusterA, Collections.emptySet());
        this.metadataAuthorizer.authorizeSecurityMetadataAccess(this.aliceContext, this.clusterA, SecurityMetadataAuthorizer.DESCRIBE);
        verifyAuthorizationFailure(() -> {
            this.metadataAuthorizer.authorizeSecurityMetadataAccess(this.aliceContext, this.clusterB, SecurityMetadataAuthorizer.DESCRIBE);
        });
        this.metadataAuthorizer.authorizeSecurityMetadataAccess(this.aliceContext, this.clusterA, SecurityMetadataAuthorizer.ALTER);
        verifyAuthorizationFailure(() -> {
            this.metadataAuthorizer.authorizeSecurityMetadataAccess(this.aliceContext, this.clusterB, SecurityMetadataAuthorizer.ALTER);
        });
    }

    @Test
    public void testSecurityMetadataAccessDefaultScope() throws Exception {
        verifyAuthorizationFailure(() -> {
            this.metadataAuthorizer.authorizeSecurityMetadataAccess(this.aliceContext, SecurityMetadataAuthorizer.DESCRIBE);
        });
        RbacTestUtils.updateRoleBinding(this.authCache, this.alice, "UserAdmin", this.metadataCluster, Collections.emptySet());
        this.metadataAuthorizer.authorizeSecurityMetadataAccess(this.aliceContext, SecurityMetadataAuthorizer.DESCRIBE);
    }

    @Test
    public void testResourcePatternAccess() throws Exception {
        RbacTestUtils.updateRoleBinding(this.authCache, this.alice, "ResourceOwner", this.clusterA, Collections.singleton(this.topicPrefix));
        this.metadataAuthorizer.authorizeResourceAccess(this.aliceContext, this.clusterA, Collections.singleton(this.topicResource), SecurityMetadataAuthorizer.DESCRIBE_ACCESS);
        this.metadataAuthorizer.authorizeResourceAccess(this.aliceContext, this.clusterA, Collections.singleton(this.topicPrefix), SecurityMetadataAuthorizer.DESCRIBE_ACCESS);
        verifyAuthorizationFailure(() -> {
            this.metadataAuthorizer.authorizeResourceAccess(this.aliceContext, this.clusterB, Collections.singleton(this.topicResource), SecurityMetadataAuthorizer.DESCRIBE_ACCESS);
        });
        Set singleton = Collections.singleton(new ResourcePattern(new ResourceType("Topic"), "sometopic", PatternType.LITERAL));
        verifyAuthorizationFailure(() -> {
            this.metadataAuthorizer.authorizeResourceAccess(this.aliceContext, this.clusterA, singleton, SecurityMetadataAuthorizer.DESCRIBE_ACCESS);
        });
        RbacTestUtils.updateRoleBinding(this.authCache, this.alice, "UserAdmin", this.clusterB, Collections.emptySet());
        this.metadataAuthorizer.authorizeResourceAccess(this.aliceContext, this.clusterB, Collections.singleton(this.topicResource), SecurityMetadataAuthorizer.ALTER_ACCESS);
        this.metadataAuthorizer.authorizeResourceAccess(this.aliceContext, this.clusterB, Collections.singleton(this.topicPrefix), SecurityMetadataAuthorizer.ALTER_ACCESS);
    }

    @Test
    public void testResourcePatternFilterAccess() throws Exception {
        ResourceType resourceType = new ResourceType("Topic");
        ResourcePatternFilter resourcePatternFilter = new ResourcePatternFilter(resourceType, "testtopic", PatternType.ANY);
        ResourcePatternFilter resourcePatternFilter2 = new ResourcePatternFilter(resourceType, "sometopic", PatternType.LITERAL);
        RbacTestUtils.updateRoleBinding(this.authCache, this.alice, "ResourceOwner", this.clusterA, Collections.singleton(this.topicPrefix));
        this.metadataAuthorizer.authorizeFilteredAccess(this.aliceContext, this.clusterA, Collections.singleton(this.topicResource.toFilter()), SecurityMetadataAuthorizer.ALTER_ACCESS);
        this.metadataAuthorizer.authorizeFilteredAccess(this.aliceContext, this.clusterA, Collections.singleton(this.topicPrefix.toFilter()), SecurityMetadataAuthorizer.ALTER_ACCESS);
        this.metadataAuthorizer.authorizeFilteredAccess(this.aliceContext, this.clusterA, Collections.singleton(resourcePatternFilter), SecurityMetadataAuthorizer.ALTER_ACCESS);
        verifyAuthorizationFailure(() -> {
            this.metadataAuthorizer.authorizeFilteredAccess(this.aliceContext, this.clusterA, Collections.singleton(resourcePatternFilter2), SecurityMetadataAuthorizer.ALTER_ACCESS);
        });
        RbacTestUtils.updateRoleBinding(this.authCache, this.alice, "UserAdmin", this.clusterA, Collections.emptySet());
        this.metadataAuthorizer.authorizeFilteredAccess(this.aliceContext, this.clusterA, Collections.singleton(resourcePatternFilter2), SecurityMetadataAuthorizer.DESCRIBE_ACCESS);
        RbacTestUtils.updateRoleBinding(this.authCache, this.bob, "ResourceOwner", this.clusterA, Collections.singleton(new ResourcePattern(resourceType, "*", PatternType.LITERAL)));
        this.metadataAuthorizer.authorizeFilteredAccess(this.bobContext, this.clusterA, Collections.singleton(resourcePatternFilter2), SecurityMetadataAuthorizer.ALTER_ACCESS);
        ResourcePatternFilter resourcePatternFilter3 = new ResourcePatternFilter(resourceType, (String) null, PatternType.LITERAL);
        this.metadataAuthorizer.authorizeFilteredAccess(this.aliceContext, this.clusterA, Collections.singleton(resourcePatternFilter3), SecurityMetadataAuthorizer.DESCRIBE_ACCESS);
        verifyAuthorizationFailure(() -> {
            this.metadataAuthorizer.authorizeFilteredAccess(this.bobContext, this.clusterA, Collections.singleton(resourcePatternFilter3), SecurityMetadataAuthorizer.ALTER_ACCESS);
        });
    }

    @Test
    public void testAclSecurityMetadataAccess() {
        Assert.assertFalse(this.metadataAuthorizer.aclAccess(this.aliceContext, this.clusterA, this.topicResource, SecurityMetadataAuthorizer.DESCRIBE, SecurityMetadataAuthorizer.DESCRIBE_ACCESS));
        RbacTestUtils.updateRoleBinding(this.authCache, this.alice, "UserAdmin", this.clusterA, Collections.emptySet());
        Assert.assertTrue(this.metadataAuthorizer.aclAccess(this.aliceContext, this.clusterA, this.topicResource, SecurityMetadataAuthorizer.DESCRIBE, SecurityMetadataAuthorizer.DESCRIBE_ACCESS));
        Assert.assertFalse(this.metadataAuthorizer.aclAccess(this.aliceContext, this.clusterB, this.topicResource, SecurityMetadataAuthorizer.DESCRIBE, SecurityMetadataAuthorizer.DESCRIBE_ACCESS));
        this.metadataAuthorizer.authorizeAclAccess(this.aliceContext, this.clusterA, this.topicResource, SecurityMetadataAuthorizer.ALTER, SecurityMetadataAuthorizer.ALTER_ACCESS);
        verifyAuthorizationFailure(() -> {
            this.metadataAuthorizer.authorizeAclAccess(this.aliceContext, this.clusterB, this.topicResource, SecurityMetadataAuthorizer.ALTER, SecurityMetadataAuthorizer.ALTER_ACCESS);
        });
    }

    @Test
    public void testAclResourcePatternAccess() {
        RbacTestUtils.updateRoleBinding(this.authCache, this.alice, "ResourceOwner", this.clusterA, Collections.singleton(this.topicPrefix));
        Assert.assertTrue(this.metadataAuthorizer.aclAccess(this.aliceContext, this.clusterA, this.topicResource, SecurityMetadataAuthorizer.DESCRIBE, SecurityMetadataAuthorizer.DESCRIBE_ACCESS));
        Assert.assertTrue(this.metadataAuthorizer.aclAccess(this.aliceContext, this.clusterA, this.topicPrefix, SecurityMetadataAuthorizer.DESCRIBE, SecurityMetadataAuthorizer.DESCRIBE_ACCESS));
        Assert.assertFalse(this.metadataAuthorizer.aclAccess(this.aliceContext, this.clusterB, this.topicResource, SecurityMetadataAuthorizer.DESCRIBE, SecurityMetadataAuthorizer.DESCRIBE_ACCESS));
        Assert.assertFalse(this.metadataAuthorizer.aclAccess(this.aliceContext, this.clusterA, new ResourcePattern(new ResourceType("Topic"), "sometopic", PatternType.LITERAL), SecurityMetadataAuthorizer.DESCRIBE, SecurityMetadataAuthorizer.DESCRIBE_ACCESS));
        RbacTestUtils.updateRoleBinding(this.authCache, this.alice, "UserAdmin", this.clusterB, Collections.emptySet());
        this.metadataAuthorizer.authorizeAclAccess(this.aliceContext, this.clusterB, this.topicResource, SecurityMetadataAuthorizer.ALTER, SecurityMetadataAuthorizer.ALTER_ACCESS);
        this.metadataAuthorizer.authorizeAclAccess(this.aliceContext, this.clusterB, this.topicPrefix, SecurityMetadataAuthorizer.ALTER, SecurityMetadataAuthorizer.ALTER_ACCESS);
    }

    @Test
    public void testAclWithClusterAcl() {
        Assert.assertFalse(this.metadataAuthorizer.aclAccess(this.aliceContext, this.clusterA, this.topicResource, SecurityMetadataAuthorizer.DESCRIBE, SecurityMetadataAuthorizer.DESCRIBE_ACCESS));
        ResourcePattern resourcePattern = new ResourcePattern(new ResourceType(org.apache.kafka.common.resource.ResourceType.CLUSTER.name()), "kafka-cluster", PatternType.LITERAL);
        RbacTestUtils.updateAclBinding(this.authCache, resourcePattern, this.clusterA, Collections.singleton(new AclRule(this.alice, PermissionType.ALLOW, "127.0.0.1", new Operation("Describe"))));
        Assert.assertTrue(this.metadataAuthorizer.aclAccess(this.aliceContext, this.clusterA, this.topicResource, SecurityMetadataAuthorizer.DESCRIBE, SecurityMetadataAuthorizer.DESCRIBE_ACCESS));
        Assert.assertFalse(this.metadataAuthorizer.aclAccess(this.aliceContext, this.clusterB, this.topicResource, SecurityMetadataAuthorizer.DESCRIBE, SecurityMetadataAuthorizer.DESCRIBE_ACCESS));
        verifyAuthorizationFailure(() -> {
            this.metadataAuthorizer.authorizeAclAccess(this.aliceContext, this.clusterB, this.topicResource, SecurityMetadataAuthorizer.ALTER, SecurityMetadataAuthorizer.ALTER_ACCESS);
        });
        RbacTestUtils.updateAclBinding(this.authCache, resourcePattern, this.clusterB, Collections.singleton(new AclRule(this.alice, PermissionType.ALLOW, "127.0.0.1", new Operation("Alter"))));
        this.metadataAuthorizer.authorizeAclAccess(this.aliceContext, this.clusterB, this.topicResource, SecurityMetadataAuthorizer.ALTER, SecurityMetadataAuthorizer.ALTER_ACCESS);
        this.metadataAuthorizer.authorizeAclAccess(this.aliceContext, this.clusterB, this.topicPrefix, SecurityMetadataAuthorizer.ALTER, SecurityMetadataAuthorizer.ALTER_ACCESS);
    }

    private void verifyAuthorizationFailure(Runnable runnable) {
        try {
            runnable.run();
            Assert.fail("Authorization did not fail");
        } catch (AuthorizationException e) {
        }
    }
}
