package io.confluent.rbacapi.resources.base;

import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.rbacapi.authorizer.SecurityMetadataAuthorizer;
import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.services.ClusterRegistryService;
import io.confluent.rbacapi.validation.base.ValidationUtil;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.authorizer.Authorizer;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.rbac.RbacRoles;
import io.confluent.security.rbac.RoleBinding;
import java.util.Arrays;
import java.util.Collections;
import java.util.Set;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.security.auth.ConfluentPrincipal;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.MockitoAnnotations;

/* loaded from: input_file:io/confluent/rbacapi/resources/base/UserGroupResourceTest.class */
public class UserGroupResourceTest {

    @Mock
    private Authorizer authorizer;

    @Mock
    private AuthCache authCache;

    @Mock
    private ClusterRegistryService clusterRegistryService;

    @Mock
    private ValidationUtil validationUtil;
    private SecurityMetadataAuthorizer metadataAuthorizer;
    private UserGroupResource resource;

    @Before
    public void setup() throws Exception {
        MockitoAnnotations.initMocks(this);
        this.metadataAuthorizer = new SecurityMetadataAuthorizer(this.authorizer, (Scope) Mockito.mock(Scope.class));
        this.resource = new UserGroupResource(this.authCache, this.clusterRegistryService, this.validationUtil, this.metadataAuthorizer);
    }

    @Test
    public void testGetUserGroupList() throws Exception {
        JwtPrincipal jwtPrincipal = (JwtPrincipal) Mockito.mock(JwtPrincipal.class);
        Mockito.when(jwtPrincipal.getName()).thenReturn("tester");
        Mockito.when(jwtPrincipal.getGroupsClaimName()).thenReturn("groups");
        Mockito.when(jwtPrincipal.jwtClaims()).thenReturn(Collections.singletonMap("groups", Arrays.asList("administrators")));
        SecurityContext securityContext = (SecurityContext) Mockito.mock(SecurityContext.class);
        Mockito.when(securityContext.getUserPrincipal()).thenReturn(jwtPrincipal);
        Mockito.when(this.authCache.groups((KafkaPrincipal) Mockito.any())).thenReturn(Collections.emptySet());
        Mockito.when(this.authCache.rbacRoles()).thenReturn(RbacRoles.loadDefaultPolicy(false));
        Mockito.when(this.authCache.rbacRoleBindings((KafkaPrincipal) Mockito.any(), (Set) Mockito.any())).thenAnswer(invocationOnMock -> {
            ConfluentPrincipal confluentPrincipal = (KafkaPrincipal) invocationOnMock.getArgument(0);
            if ((confluentPrincipal instanceof ConfluentPrincipal) && confluentPrincipal.getGroups().contains("administrators")) {
                return Collections.singleton(new RoleBinding(new KafkaPrincipal("User", "tester"), "SystemAdmin", (Scope) Mockito.mock(Scope.class), Collections.emptySet()));
            }
            return Collections.emptySet();
        });
        Mockito.when(this.authCache.users()).thenReturn(Collections.emptyMap());
        try {
            this.resource.getUserGroupList(securityContext, "both", (MdsScope) Mockito.mock(MdsScope.class));
        } catch (ForbiddenException e) {
            Assert.fail("CPSEC-317, the call should succeed and return empty list");
        }
    }
}
