package integration.rbacapi.api.v1;

import io.confluent.kafka.server.plugins.auth.token.IdentityProviderService;
import io.confluent.rbacapi.entities.ManagedRoleBindings;
import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.retrofit.v1.V1RbacRestApi;
import io.confluent.rbacapi.retrofit.v1.V1RbacRetrofitFactory;
import io.confluent.security.authentication.http.HttpClient;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.tokenapi.entities.AuthenticationResponse;
import java.lang.reflect.Method;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.Form;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.testng.Assert;
import org.testng.ITest;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Factory;
import org.testng.annotations.Test;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;
import utils.QuorumTestInfo;

@Test(groups = {"tokenTests"})
/* loaded from: input_file:integration/rbacapi/api/v1/MdsApisOauthTokenTest.class */
public class MdsApisOauthTokenTest implements ITest {
    private RbacClusters rbacClusters;
    private V1RbacRestApi rbacRestApi;
    private int actualMdsPort;
    private IdentityProviderService idpService;
    private final String quorum;
    private String testName;
    private final List<String> expectedGroups = Arrays.asList("app-developers", "xyz-group", "abc-group");
    private final List<String> expectedRoles = Arrays.asList("AuditAdmin", "ClusterAdmin", "DeveloperManage", "DeveloperRead", "DeveloperWrite", "Operator", "ResourceOwner", "SecurityAdmin", "SystemAdmin", "UserAdmin");
    private final List<String> expectedAssignedRoles = Arrays.asList("AuditAdmin", "UserAdmin");

    /* loaded from: input_file:integration/rbacapi/api/v1/MdsApisOauthTokenTest$SharedIdpService.class */
    public static class SharedIdpService {
        public static final IdentityProviderService idpService = new IdentityProviderService();
    }

    @Factory(dataProvider = "quorums")
    public MdsApisOauthTokenTest(String str) {
        this.quorum = str;
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider
    private static Object[][] quorums() {
        return new Object[]{new Object[]{"kraft"}, new Object[]{"kraft_combined"}, new Object[]{"zk"}};
    }

    public String getTestName() {
        return this.testName;
    }

    @BeforeMethod
    public void updateDisplayName(Method method, Object[] objArr) {
        this.testName = method.getName() + "_" + this.quorum;
    }

    @BeforeClass
    public void setUp() throws Exception {
        this.idpService = SharedIdpService.idpService;
        this.idpService.setStartupTimeout(Duration.ofMinutes(10L));
        this.idpService.start();
        this.rbacClusters = new RbacClusters(KafkaConfigTool.justOAuth("app1-developer", -1, this.idpService), new QuorumTestInfo(this.quorum));
        this.actualMdsPort = MdsTestUtil.lookupActualMdsPort(this.rbacClusters);
    }

    @Test
    public void issueTokenTest() throws Exception {
        this.rbacRestApi = V1RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, getJwtFromIdp("app2-developer", "app2-developer", this.idpService.getTokenEndpoint()));
        JwtClaims processToClaims = new JwtConsumerBuilder().setSkipSignatureVerification().setDisableRequireSignature().setSkipAllValidators().build().processToClaims(((AuthenticationResponse) this.rbacRestApi.issueToken().execute().body()).authenticationToken());
        Assert.assertEquals(processToClaims.getIssuer(), "Confluent");
        Assert.assertTrue(processToClaims.hasClaim("groups"));
        Assert.assertEquals(processToClaims.getStringListClaimValue("groups"), this.expectedGroups);
    }

    @Test
    public void activeNodesTest() throws Exception {
        this.rbacRestApi = V1RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, getJwtFromIdp("app2-developer", "app2-developer", this.idpService.getTokenEndpoint()));
        Assert.assertTrue(this.rbacRestApi.activeNodes("http").execute().isSuccessful());
        Assert.assertTrue(this.rbacRestApi.activeNodes("https").execute().isSuccessful());
        List list = (List) this.rbacRestApi.activeNodes("http").execute().body();
        Assert.assertTrue(((List) this.rbacRestApi.activeNodes("https").execute().body()).isEmpty());
        Assert.assertEquals(list.size(), 1);
    }

    @Test
    public void roleNameTest() throws Exception {
        this.rbacRestApi = V1RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, getJwtFromIdp("app2-developer", "app2-developer", this.idpService.getTokenEndpoint()));
        Assert.assertEquals((List) this.rbacRestApi.getRoleNames().execute().body(), this.expectedRoles);
    }

    @Test
    public void addRoleBindingTest() throws Exception {
        this.rbacRestApi = V1RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, getJwtFromIdp("app2-developer", "app2-developer", this.idpService.getTokenEndpoint()));
        V1RbacRestApi buildWithToken = V1RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, getJwtFromIdp("app1-developer", "app1-developer", this.idpService.getTokenEndpoint()));
        Assert.assertFalse(this.rbacRestApi.addClusterRoleForPrincipal("User:mds", "AuditAdmin", new MdsScope(Scope.kafkaClusterScope(this.rbacClusters.metadataClusterId()))).execute().isSuccessful());
        Assert.assertTrue(buildWithToken.addClusterRoleForPrincipal("User:mds", "AuditAdmin", new MdsScope(Scope.kafkaClusterScope(this.rbacClusters.metadataClusterId()))).execute().isSuccessful());
    }

    @Test
    public void getRoleNamesTest() throws Exception {
        this.rbacRestApi = V1RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, getJwtFromIdp("app2-developer", "app2-developer", this.idpService.getTokenEndpoint()));
        V1RbacRestApi buildWithToken = V1RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, getJwtFromIdp("app1-developer", "app1-developer", this.idpService.getTokenEndpoint()));
        Assert.assertTrue(buildWithToken.addClusterRoleForPrincipal("User:app1-developer", "AuditAdmin", new MdsScope(Scope.kafkaClusterScope(this.rbacClusters.metadataClusterId()))).execute().isSuccessful());
        Assert.assertTrue(buildWithToken.addClusterRoleForPrincipal("User:app1-developer", "UserAdmin", new MdsScope(Scope.kafkaClusterScope(this.rbacClusters.metadataClusterId()))).execute().isSuccessful());
        int code = this.rbacRestApi.getRoleNamesForPrincipal("User:app1-developer", new MdsScope(Scope.kafkaClusterScope(this.rbacClusters.metadataClusterId()))).execute().code();
        List list = (List) buildWithToken.getRoleNamesForPrincipal("User:app1-developer", new MdsScope(Scope.kafkaClusterScope(this.rbacClusters.metadataClusterId()))).execute().body();
        Assert.assertEquals(code, 403);
        Assert.assertEquals(list, this.expectedAssignedRoles);
    }

    @Test
    public void getResourcesForPrincipalTest() throws Exception {
        this.rbacRestApi = V1RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, getJwtFromIdp("app2-developer", "app2-developer", this.idpService.getTokenEndpoint()));
        V1RbacRestApi buildWithToken = V1RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, getJwtFromIdp("app1-developer", "app1-developer", this.idpService.getTokenEndpoint()));
        Assert.assertTrue(buildWithToken.addClusterRoleForPrincipal("User:app1-developer", "AuditAdmin", new MdsScope(Scope.kafkaClusterScope(this.rbacClusters.metadataClusterId()))).execute().isSuccessful());
        int code = this.rbacRestApi.getResourcesForPrincipal("User:app1-developer", new MdsScope(Scope.kafkaClusterScope(this.rbacClusters.metadataClusterId()))).execute().code();
        Map map = (Map) buildWithToken.getResourcesForPrincipal("User:app1-developer", new MdsScope(Scope.kafkaClusterScope(this.rbacClusters.metadataClusterId()))).execute().body();
        Assert.assertEquals(code, 403);
        Assert.assertEquals(map.size(), 1);
    }

    @Test
    public void getManagedResourcesForPrincipalTest() throws Exception {
        this.rbacRestApi = V1RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, getJwtFromIdp("app2-developer", "app2-developer", this.idpService.getTokenEndpoint()));
        V1RbacRestApi buildWithToken = V1RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, getJwtFromIdp("app1-developer", "app1-developer", this.idpService.getTokenEndpoint()));
        Assert.assertTrue(buildWithToken.addClusterRoleForPrincipal("User:app1-developer", "AuditAdmin", new MdsScope(Scope.kafkaClusterScope(this.rbacClusters.metadataClusterId()))).execute().isSuccessful());
        Assert.assertTrue(buildWithToken.addClusterRoleForPrincipal("User:app1-developer", "UserAdmin", new MdsScope(Scope.kafkaClusterScope(this.rbacClusters.metadataClusterId()))).execute().isSuccessful());
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", "app1-developer");
        ManagedRoleBindings managedRoleBindings = (ManagedRoleBindings) buildWithToken.getManagedResourcesForPrincipal(kafkaPrincipal, null, new MdsScope(Scope.kafkaClusterScope(this.rbacClusters.metadataClusterId()))).execute().body();
        Assert.assertEquals(managedRoleBindings.getClusterRoleBindings().size(), 2);
        Assert.assertEquals(((List) managedRoleBindings.getClusterRoleBindings().get(kafkaPrincipal)).size(), 2);
    }

    private String getJwtFromIdp(String str, String str2, String str3) throws Exception {
        return (String) HttpClient.builder().build().target(URI.create(str3)).request().header("Authorization", "Basic " + Base64.getEncoder().encodeToString((str + ":" + str2).getBytes(StandardCharsets.UTF_8))).accept(new String[]{"application/json"}).rx().post(Entity.entity(new Form().param("grant_type", "client_credentials"), "application/x-www-form-urlencoded")).thenApply(response -> {
            return (Map) response.readEntity(Map.class);
        }).thenApply(map -> {
            return (String) map.get("access_token");
        }).toCompletableFuture().get();
    }
}
