package io.confluent.security.mtls;

import io.confluent.security.authentication.oauthbearer.JwksTestFixture;
import io.confluent.security.policyapi.exception.PolicyEngineException;
import io.confluent.security.policyapi.exception.PolicyViolationException;
import java.util.HashMap;
import java.util.Map;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.projectnessie.cel.Program;

/* loaded from: input_file:io/confluent/security/mtls/CertIdentityPoolFilterTest.class */
public class CertIdentityPoolFilterTest {
    private final CertIdentityPoolFilter testFilter = new CertIdentityPoolFilter();

    @Test
    void testCompilePolicy_unknownVariable() {
        Exception exc = (Exception) Assertions.assertThrows(PolicyEngineException.class, () -> {
            this.testFilter.compilePolicy("UNKNOWN_VAR.contains(\"abc\")");
        });
        Assertions.assertTrue(exc.getMessage().contains("Failed to load pool filter 'UNKNOWN_VAR.contains(\"abc\")'"));
        Assertions.assertTrue(exc.getMessage().contains("undeclared reference to 'UNKNOWN_VAR'"));
        Exception exc2 = (Exception) Assertions.assertThrows(PolicyEngineException.class, () -> {
            this.testFilter.compilePolicy("san.contains(\"abc\")");
        });
        Assertions.assertTrue(exc2.getMessage().contains("Failed to load pool filter 'san.contains(\"abc\")'"));
        Assertions.assertTrue(exc2.getMessage().contains("undeclared reference to 'san'"));
    }

    @Test
    void testCompilePolicy_unsupportedOperator() {
        Exception exc = (Exception) Assertions.assertThrows(PolicyEngineException.class, () -> {
            this.testFilter.compilePolicy("DN >= \"abc\"");
        });
        Assertions.assertTrue(exc.getMessage().contains("Failed to load pool filter 'DN >= \"abc\"'"));
        Assertions.assertTrue(exc.getMessage().contains("undeclared reference to '_>=_'"));
        Exception exc2 = (Exception) Assertions.assertThrows(PolicyEngineException.class, () -> {
            this.testFilter.compilePolicy("(DN == \"abc\") < (DN == \"def\")");
        });
        Assertions.assertTrue(exc2.getMessage().contains("Failed to load pool filter"));
        Assertions.assertTrue(exc2.getMessage().contains("undeclared reference to '_<_'"));
    }

    @Test
    void testCompilePolicy_invalidSyntax() {
        Assertions.assertTrue(((Exception) Assertions.assertThrows(PolicyEngineException.class, () -> {
            this.testFilter.compilePolicy("DN contains \"abc\"");
        })).getMessage().contains("Failed to load pool filter"));
    }

    @Test
    void testCompilePolicy_typeNotAllow() {
        Exception exc = (Exception) Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.testFilter.compilePolicy("DN == 12");
        });
        Assertions.assertTrue(exc.getMessage().contains("Failed to load pool filter"));
        Assertions.assertTrue(exc.getMessage().contains("found no matching overload for '_==_'"));
        Exception exc2 = (Exception) Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.testFilter.compilePolicy("DN != 12.3");
        });
        Assertions.assertTrue(exc2.getMessage().contains("Failed to load pool filter"));
        Assertions.assertTrue(exc2.getMessage().contains("found no matching overload for '_!=_'"));
        Exception exc3 = (Exception) Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.testFilter.compilePolicy("DN == {\"key\":\"abc\"}");
        });
        Assertions.assertTrue(exc3.getMessage().contains("Failed to load pool filter"));
        Assertions.assertTrue(exc3.getMessage().contains("found no matching overload for '_==_'"));
    }

    @Test
    void testCompilePolicy_notAllowOperator() {
        Exception exc = (Exception) Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.testFilter.compilePolicy("DN == [\"abc\"]");
        });
        Assertions.assertTrue(exc.getMessage().contains("Failed to load pool filter"));
        Assertions.assertTrue(exc.getMessage().contains("found no matching overload for '_==_'"));
    }

    @Test
    void testCompilePolicy_valid() {
        this.testFilter.compilePolicy("DN.contains(\"abc\")");
        this.testFilter.compilePolicy("CN in [\"abc\", \"def\"]");
        this.testFilter.compilePolicy("(DN.contains(\"abc\")) || (CN.endsWith(\"def\")) && (SAN.startsWith(\"ghi\"))");
    }

    @Test
    void testEvaluatePolicy_NotBooleanThrown() {
        Program compilePolicy = this.testFilter.compilePolicy("[DN.contains(\"abc\")]");
        HashMap hashMap = new HashMap();
        hashMap.put("DN", "abc");
        Assertions.assertTrue(((Exception) Assertions.assertThrows(PolicyEngineException.class, () -> {
            CertIdentityPoolFilter.evaluatePolicy(compilePolicy, hashMap);
        })).getMessage().contains("Pool filter fails to evaluate as boolean"));
    }

    @Test
    void testEvaluatePolicy_DefaultValues() {
        Assertions.assertFalse(CertIdentityPoolFilter.evaluatePolicy(this.testFilter.compilePolicy("(DN.contains(\"abc\")) || (CN.endsWith(\"def\")) && (SAN.startsWith(\"ghi\"))"), new HashMap()));
    }

    @Test
    void testEvaluatePolicy_Pass() {
        Program compilePolicy = this.testFilter.compilePolicy("(DN.contains(\"abc\")) || (CN.endsWith(\"def\"))");
        HashMap hashMap = new HashMap();
        hashMap.put("DN", "CN=def, O=abcd");
        hashMap.put("CN", "def");
        hashMap.put("UNKNOWN", "ignore");
        Assertions.assertTrue(CertIdentityPoolFilter.evaluatePolicy(compilePolicy, hashMap));
    }

    @Test
    void testValidate_throw() {
        Assertions.assertTrue(((Exception) Assertions.assertThrows(PolicyEngineException.class, () -> {
            this.testFilter.validate("DN.contains \"abc\"");
        })).getMessage().contains("Failed to load pool filter"));
        Assertions.assertTrue(((Exception) Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.testFilter.validate("DN == 123");
        })).getMessage().contains("Failed to load pool filter"));
    }

    @Test
    void testValidate_passes() {
        this.testFilter.validate("DN.contains(\"abc\")");
        this.testFilter.validate("CN in [\"abc\", \"def\"]");
        this.testFilter.validate("(DN.contains(\"abc\")) || (CN.endsWith(\"def\")) && (SAN.startsWith(\"ghi\"))");
    }

    @Test
    void testFilter_nullOrEmptyFilter() {
        Assertions.assertFalse(this.testFilter.filter((String) null, new HashMap()));
        Assertions.assertFalse(this.testFilter.filter("", new HashMap()));
    }

    @Test
    void testFilter_nullOrEmptyVars() {
        Assertions.assertFalse(this.testFilter.filter("DN.contains(\"abc\")", (Map) null));
        Assertions.assertFalse(this.testFilter.filter("DN.contains(\"abc\")", new HashMap()));
    }

    @Test
    void testFilter_DNPart_Matching() {
        HashMap hashMap = new HashMap();
        hashMap.put("CN", "Confluent Europe");
        Assertions.assertTrue(this.testFilter.filter("CN.contains('onfl')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("CN.contains('t E')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("CN.startsWith('Conf')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("CN.endsWith('Europe')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("CN == 'Confluent Europe'", hashMap));
        Assertions.assertTrue(this.testFilter.filter("CN != 'Confluent'", hashMap));
        Assertions.assertTrue(this.testFilter.filter("CN in ['Apache Kafka', 'Confluent Europe']", hashMap));
        Assertions.assertTrue(this.testFilter.filter("CN.startsWith('Confluent') && CN.endsWith('Europe')", hashMap));
        Assertions.assertFalse(this.testFilter.filter("CN == 'Confluent'", hashMap));
        Assertions.assertFalse(this.testFilter.filter("CN.contains('confluent')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("!CN.contains('confluent')", hashMap));
        hashMap.put("L", "Mountain View\\, 899 W Evelyn Ave\\, United States");
        Assertions.assertTrue(this.testFilter.filter("L.contains(r'View\\, 899')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("L.startsWith('Mountain View')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("L.endsWith('United States')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("L.startsWith('States') || L.startsWith('Mountain')", hashMap));
    }

    @Test
    void testFilter_DN_Matching() {
        HashMap hashMap = new HashMap();
        hashMap.put("DN", "CN=confluent.io,OU=Kafka\\, Cloud,O=Confluent,L=Mountain View+STREET=899 W Evelyn Ave,ST=California,C=US");
        Assertions.assertTrue(this.testFilter.filter("DN.contains('CN=confluent.io')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("DN.contains(r'Kafka\\, Cloud')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("DN.startsWith('CN=confluent.io')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("DN.endsWith('C=US')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("DN != 'Confluent'", hashMap));
        Assertions.assertTrue(this.testFilter.filter("DN.contains('Confluent') && DN.contains('Evelyn Ave')", hashMap));
        Assertions.assertFalse(this.testFilter.filter("DN.contains('CN=Confluent.io')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("!DN.contains('CN=Confluent.io')", hashMap));
    }

    @Test
    void testFilter_SAN_Matching() {
        HashMap hashMap = new HashMap();
        hashMap.put("SAN", "DNS:confluent.io,DNS:*.confluent.io,IP:192.168.0.1,IP:2001:0:130f:0:0:9c0:876a:130b,EMAIL:myemail@confluent.io");
        Assertions.assertTrue(this.testFilter.filter("SAN.contains('DNS:confluent.io')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SAN.contains(r'DNS:*.confluent.io')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SAN.contains('IP:2001:0:130f:0:0:9c0:876a:130b')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SAN.startsWith('DNS:confluent.io')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SAN.endsWith('myemail@confluent.io')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SAN != 'Confluent'", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SAN.contains('DNS:*.confluent.io') && SAN.contains('IP:192.168.0.1')", hashMap));
        Assertions.assertFalse(this.testFilter.filter("SAN.contains('IP:2001:0:130F:0:0:9C0:876A:130B')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("!SAN.contains('IP:2001:0:130F:0:0:9C0:876A:130B')", hashMap));
    }

    @Test
    void testFilter_SerialNumber_Matching() {
        HashMap hashMap = new HashMap();
        hashMap.put("SNID", "00D3B9E2C1CC02971E");
        Assertions.assertTrue(this.testFilter.filter("SNID.contains('B9E2C1C')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SNID.startsWith('00D3B9')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SNID.endsWith('C02971E')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SNID != 'Confluent'", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SNID == '00D3B9E2C1CC02971E'", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SNID.contains('9E2C1') && !SNID.contains('IP:192.168.0.1')", hashMap));
        Assertions.assertFalse(this.testFilter.filter("SNID.contains('00d3b9e')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("!SNID.contains('00d3b9e')", hashMap));
    }

    @Test
    void testFilter_sha1Fingerprint_Matching() {
        HashMap hashMap = new HashMap();
        hashMap.put("SHA1", "CABD2A79A1076A31F21D253635CB039D4329A5E8");
        Assertions.assertTrue(this.testFilter.filter("SHA1.contains('A1076A31F')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SHA1.startsWith('CABD2A79A107')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SHA1.endsWith('9D4329A5E8')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SHA1 != 'Confluent'", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SHA1 == 'CABD2A79A1076A31F21D253635CB039D4329A5E8'", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SHA1.contains('1076A31F') && !SHA1.contains('IP:192.168.0.1')", hashMap));
        Assertions.assertFalse(this.testFilter.filter("SHA1.contains('d2a79a1076')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("!SHA1.contains('d2a79a1076')", hashMap));
    }

    @Test
    void testFilter_CombineMatching() {
        HashMap hashMap = new HashMap();
        hashMap.put("DN", "C=US,ST=California,L=Mountain View+STREET=899 W Evelyn Ave,O=Confluent,OU=Kafka\\, Cloud,CN=confluent.io");
        hashMap.put("ST", "California");
        hashMap.put("C", "US");
        hashMap.put("OU", "Kafka\\, Cloud");
        hashMap.put("CN", "confluent.io");
        hashMap.put("L", "Mountain View");
        hashMap.put("O", JwksTestFixture.PEM_ISS);
        hashMap.put("SAN", "DNS:*.example.com");
        hashMap.put("SNID", "F18344E53ED280F7");
        hashMap.put("SHA1", "FC53B13FA81940FF5A86428C6508DA4D044F4FB3");
        Assertions.assertTrue(this.testFilter.filter("DN.contains('O=Confluent')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("ST == 'California'", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SAN.contains('DNS:*.example.com')", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SNID == 'F18344E53ED280F7'", hashMap));
        Assertions.assertTrue(this.testFilter.filter("SHA1 == 'FC53B13FA81940FF5A86428C6508DA4D044F4FB3'", hashMap));
        Assertions.assertTrue(this.testFilter.filter("DN.contains('O=Confluent') && ST == 'California' && !(SNID == 'ABC1123141') && SAN.contains('example.com') && SHA1 != 'ABC1123141'", hashMap));
    }
}
