package org.apache.druid.indexing.overlord.sampler;

import java.util.Collections;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.druid.client.indexing.SamplerSpec;
import org.apache.druid.java.util.common.UOE;
import org.apache.druid.server.security.Access;
import org.apache.druid.server.security.Action;
import org.apache.druid.server.security.AuthConfig;
import org.apache.druid.server.security.AuthenticationResult;
import org.apache.druid.server.security.Authorizer;
import org.apache.druid.server.security.AuthorizerMapper;
import org.apache.druid.server.security.ForbiddenException;
import org.apache.druid.server.security.Resource;
import org.apache.druid.server.security.ResourceAction;
import org.easymock.EasyMock;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/druid/indexing/overlord/sampler/SamplerResourceTest.class */
public class SamplerResourceTest {
    private HttpServletRequest req;
    private AuthConfig authConfig;
    private SamplerSpec samplerSpec;
    private SamplerResource samplerResource;
    private static final AuthorizerMapper AUTH_MAPPER = new AuthorizerMapper(null) { // from class: org.apache.druid.indexing.overlord.sampler.SamplerResourceTest.1
        public Authorizer getAuthorizer(String str) {
            return new Authorizer() { // from class: org.apache.druid.indexing.overlord.sampler.SamplerResourceTest.1.1
                public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
                    String identity = authenticationResult.getIdentity();
                    String type = resource.getType();
                    boolean z = -1;
                    switch (type.hashCode()) {
                        case -1038134325:
                            if (type.equals("EXTERNAL")) {
                                z = false;
                                break;
                            }
                            break;
                    }
                    switch (z) {
                        case false:
                            return new Access(action == Action.READ && "inputSourceAllowed".equals(identity));
                        default:
                            return new Access(true);
                    }
                }
            };
        }
    };

    /* loaded from: input_file:org/apache/druid/indexing/overlord/sampler/SamplerResourceTest$Users.class */
    private static class Users {
        private static final String INPUT_SOURCE_ALLOWED = "inputSourceAllowed";
        private static final String INPUT_SOURCE_DISALLOWED = "inputSourceDisallowed";

        private Users() {
        }
    }

    @Before
    public void setUp() {
        this.req = (HttpServletRequest) EasyMock.createStrictMock(HttpServletRequest.class);
        this.authConfig = (AuthConfig) EasyMock.createMock(AuthConfig.class);
        this.samplerSpec = (SamplerSpec) EasyMock.createMock(SamplerSpec.class);
        this.samplerResource = new SamplerResource(AUTH_MAPPER, this.authConfig);
    }

    @Test
    public void test_post_properResourcesAuthorized() {
        expectAuthorizationTokenCheck("inputSourceDisallowed");
        Authorizer authorizer = (Authorizer) EasyMock.createMock(Authorizer.class);
        AuthorizerMapper authorizerMapper = (AuthorizerMapper) EasyMock.createMock(AuthorizerMapper.class);
        EasyMock.expect(authorizerMapper.getAuthorizer("druid")).andReturn(authorizer);
        EasyMock.expect(authorizer.authorize((AuthenticationResult) EasyMock.anyObject(AuthenticationResult.class), (Resource) EasyMock.eq(Resource.STATE_RESOURCE), (Action) EasyMock.eq(Action.WRITE))).andReturn(Access.OK);
        EasyMock.expect(Boolean.valueOf(this.authConfig.isEnableInputSourceSecurity())).andReturn(false);
        EasyMock.expect(this.samplerSpec.sample()).andReturn((Object) null);
        EasyMock.replay(new Object[]{this.req, this.authConfig, authorizer, authorizerMapper, this.samplerSpec});
        this.samplerResource = new SamplerResource(authorizerMapper, this.authConfig);
        this.samplerResource.post(this.samplerSpec, this.req);
    }

    @Test
    public void test_post_inputSourceSecurityEnabledAndinputSourceDisAllowed_throwsAuthError() {
        expectAuthorizationTokenCheck("inputSourceDisallowed");
        EasyMock.expect(Boolean.valueOf(this.authConfig.isEnableInputSourceSecurity())).andReturn(true);
        EasyMock.expect(this.samplerSpec.getInputSourceResources()).andReturn(Collections.singleton(new ResourceAction(new Resource("test", "EXTERNAL"), Action.READ)));
        EasyMock.replay(new Object[]{this.req, this.authConfig, this.samplerSpec});
        Assert.assertThrows(ForbiddenException.class, () -> {
            this.samplerResource.post(this.samplerSpec, this.req);
        });
    }

    @Test
    public void test_post_inputSourceSecurityEnabledAndinputSourceAllowed_samples() {
        expectAuthorizationTokenCheck("inputSourceAllowed");
        EasyMock.expect(Boolean.valueOf(this.authConfig.isEnableInputSourceSecurity())).andReturn(true);
        EasyMock.expect(this.samplerSpec.getInputSourceResources()).andReturn(Collections.singleton(new ResourceAction(new Resource("test", "EXTERNAL"), Action.READ)));
        EasyMock.expect(this.samplerSpec.sample()).andReturn((Object) null);
        EasyMock.replay(new Object[]{this.req, this.authConfig, this.samplerSpec});
        this.samplerResource.post(this.samplerSpec, this.req);
    }

    @Test
    public void test_post_inputSourceSecurityDisabledAndinputSourceDisAllowed_samples() {
        expectAuthorizationTokenCheck("inputSourceDisallowed");
        EasyMock.expect(Boolean.valueOf(this.authConfig.isEnableInputSourceSecurity())).andReturn(false);
        EasyMock.expect(this.samplerSpec.sample()).andReturn((Object) null);
        EasyMock.replay(new Object[]{this.req, this.authConfig, this.samplerSpec});
        this.samplerResource.post(this.samplerSpec, this.req);
    }

    @Test
    public void test_post_inputSourceSecurityEnabledAndinputSourcNotSupported_throwsUOE() {
        expectAuthorizationTokenCheck("inputSourceAllowed");
        EasyMock.expect(Boolean.valueOf(this.authConfig.isEnableInputSourceSecurity())).andReturn(true);
        EasyMock.expect(this.samplerSpec.getInputSourceResources()).andThrow(new UOE("input source type 'test' does not support input source security feature", new Object[0]));
        EasyMock.expect(this.samplerSpec.sample()).andReturn((Object) null);
        EasyMock.replay(new Object[]{this.req, this.authConfig, this.samplerSpec});
        Assert.assertThrows(UOE.class, () -> {
            this.samplerResource.post(this.samplerSpec, this.req);
        });
    }

    private void expectAuthorizationTokenCheck(String str) {
        AuthenticationResult authenticationResult = new AuthenticationResult(str, "druid", (String) null, (Map) null);
        EasyMock.expect(this.req.getAttribute("Druid-Allow-Unsecured-Path")).andReturn((Object) null).anyTimes();
        EasyMock.expect(this.req.getAttribute("Druid-Authorization-Checked")).andReturn((Object) null).atLeastOnce();
        EasyMock.expect(this.req.getAttribute("Druid-Authentication-Result")).andReturn(authenticationResult).atLeastOnce();
        this.req.setAttribute("Druid-Authorization-Checked", false);
        EasyMock.expectLastCall().anyTimes();
        this.req.setAttribute("Druid-Authorization-Checked", true);
        EasyMock.expectLastCall().anyTimes();
    }
}
