package org.apache.druid.tests.security;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.inject.Inject;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.java.util.http.client.CredentialedHttpClient;
import org.apache.druid.java.util.http.client.HttpClient;
import org.apache.druid.java.util.http.client.auth.BasicCredentials;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.server.security.Action;
import org.apache.druid.server.security.Resource;
import org.apache.druid.server.security.ResourceAction;
import org.apache.druid.server.security.ResourceType;
import org.apache.druid.testing.IntegrationTestingConfig;
import org.apache.druid.testing.clients.CoordinatorResourceTestClient;
import org.apache.druid.testing.guice.DruidTestModuleFactory;
import org.apache.druid.testing.utils.HttpUtil;
import org.apache.druid.testing.utils.ITRetryUtil;
import org.apache.druid.tests.TestNGGroup;
import org.jboss.netty.handler.codec.http.HttpMethod;
import org.jboss.netty.handler.codec.http.HttpResponseStatus;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Guice;
import org.testng.annotations.Test;

@Guice(moduleFactory = DruidTestModuleFactory.class)
@Test(groups = {TestNGGroup.LDAP_SECURITY})
/* loaded from: input_file:org/apache/druid/tests/security/ITBasicAuthLdapConfigurationTest.class */
public class ITBasicAuthLdapConfigurationTest extends AbstractAuthConfigurationTest {
    private static final Logger LOG = new Logger(ITBasicAuthLdapConfigurationTest.class);
    private static final String LDAP_AUTHENTICATOR = "ldap";
    private static final String LDAP_AUTHORIZER = "ldapauth";
    private static final String EXPECTED_AVATICA_AUTH_ERROR = "Error while executing SQL \"SELECT * FROM INFORMATION_SCHEMA.COLUMNS\": Remote driver error: BasicSecurityAuthenticationException: User LDAP authentication failed.";

    @Inject
    IntegrationTestingConfig config;

    @Inject
    ObjectMapper jsonMapper;

    @Inject
    private CoordinatorResourceTestClient coordinatorClient;
    private HttpClient druidUserClient;
    private HttpClient stateOnlyNoLdapGroupUserClient;

    @BeforeClass
    public void before() throws Exception {
        ITRetryUtil.retryUntilTrue(() -> {
            return Boolean.valueOf(this.coordinatorClient.areSegmentsLoaded("auth_test"));
        }, "auth_test segment load");
        setupHttpClients();
        setupUsers();
        setExpectedSystemSchemaObjects();
    }

    @Test
    public void test_systemSchemaAccess_admin() throws Exception {
        checkNodeAccess(this.adminClient);
        LOG.info("Checking sys.segments query as admin...", new Object[0]);
        verifySystemSchemaQuery(this.adminClient, "SELECT * FROM sys.segments WHERE datasource IN ('auth_test')", this.adminSegments);
        LOG.info("Checking sys.servers query as admin...", new Object[0]);
        verifySystemSchemaServerQuery(this.adminClient, "SELECT * FROM sys.servers WHERE tier IS NOT NULL", getServersWithoutCurrentSize(this.adminServers));
        LOG.info("Checking sys.server_segments query as admin...", new Object[0]);
        verifySystemSchemaQuery(this.adminClient, "SELECT * FROM sys.server_segments WHERE segment_id LIKE 'auth_test%'", this.adminServerSegments);
        LOG.info("Checking sys.tasks query as admin...", new Object[0]);
        verifySystemSchemaQuery(this.adminClient, "SELECT * FROM sys.tasks WHERE datasource IN ('auth_test')", this.adminTasks);
    }

    @Test
    public void test_systemSchemaAccess_datasourceOnlyUser() throws Exception {
        HttpUtil.makeRequest(this.datasourceOnlyUserClient, HttpMethod.GET, this.config.getBrokerUrl() + "/druid/v2/datasources/auth_test", (byte[]) null);
        LOG.info("Checking sys.segments query as datasourceOnlyUser...", new Object[0]);
        verifySystemSchemaQuery(this.datasourceOnlyUserClient, "SELECT * FROM sys.segments WHERE datasource IN ('auth_test')", (List) this.adminSegments.stream().filter(map -> {
            return "auth_test".equals(map.get("datasource"));
        }).collect(Collectors.toList()));
        LOG.info("Checking sys.servers query as datasourceOnlyUser...", new Object[0]);
        verifySystemSchemaQueryFailure(this.datasourceOnlyUserClient, "SELECT * FROM sys.servers WHERE tier IS NOT NULL", HttpResponseStatus.FORBIDDEN, "{\"Access-Check-Result\":\"Insufficient permission to view servers : Allowed:false, Message:\"}");
        LOG.info("Checking sys.server_segments query as datasourceOnlyUser...", new Object[0]);
        verifySystemSchemaQueryFailure(this.datasourceOnlyUserClient, "SELECT * FROM sys.server_segments WHERE segment_id LIKE 'auth_test%'", HttpResponseStatus.FORBIDDEN, "{\"Access-Check-Result\":\"Insufficient permission to view servers : Allowed:false, Message:\"}");
        LOG.info("Checking sys.tasks query as datasourceOnlyUser...", new Object[0]);
        verifySystemSchemaQuery(this.datasourceOnlyUserClient, "SELECT * FROM sys.tasks WHERE datasource IN ('auth_test')", (List) this.adminTasks.stream().filter(map2 -> {
            return "auth_test".equals(map2.get("datasource"));
        }).collect(Collectors.toList()));
    }

    @Test
    public void test_systemSchemaAccess_datasourceWithStateUser() throws Exception {
        HttpUtil.makeRequest(this.datasourceWithStateUserClient, HttpMethod.GET, this.config.getBrokerUrl() + "/status", (byte[]) null);
        LOG.info("Checking sys.segments query as datasourceWithStateUser...", new Object[0]);
        verifySystemSchemaQuery(this.datasourceWithStateUserClient, "SELECT * FROM sys.segments WHERE datasource IN ('auth_test')", (List) this.adminSegments.stream().filter(map -> {
            return "auth_test".equals(map.get("datasource"));
        }).collect(Collectors.toList()));
        LOG.info("Checking sys.servers query as datasourceWithStateUser...", new Object[0]);
        verifySystemSchemaServerQuery(this.datasourceWithStateUserClient, "SELECT * FROM sys.servers WHERE tier IS NOT NULL", this.adminServers);
        LOG.info("Checking sys.server_segments query as datasourceWithStateUser...", new Object[0]);
        verifySystemSchemaQuery(this.datasourceWithStateUserClient, "SELECT * FROM sys.server_segments WHERE segment_id LIKE 'auth_test%'", (List) this.adminServerSegments.stream().filter(map2 -> {
            return ((String) map2.get("segment_id")).contains("auth_test");
        }).collect(Collectors.toList()));
        LOG.info("Checking sys.tasks query as datasourceWithStateUser...", new Object[0]);
        verifySystemSchemaQuery(this.datasourceWithStateUserClient, "SELECT * FROM sys.tasks WHERE datasource IN ('auth_test')", (List) this.adminTasks.stream().filter(map3 -> {
            return "auth_test".equals(map3.get("datasource"));
        }).collect(Collectors.toList()));
    }

    @Test
    public void test_systemSchemaAccess_stateOnlyUser() throws Exception {
        HttpUtil.makeRequest(this.stateOnlyUserClient, HttpMethod.GET, this.config.getBrokerUrl() + "/status", (byte[]) null);
        LOG.info("Checking sys.segments query as stateOnlyUser...", new Object[0]);
        verifySystemSchemaQuery(this.stateOnlyUserClient, "SELECT * FROM sys.segments WHERE datasource IN ('auth_test')", Collections.emptyList());
        LOG.info("Checking sys.servers query as stateOnlyUser...", new Object[0]);
        verifySystemSchemaServerQuery(this.stateOnlyUserClient, "SELECT * FROM sys.servers WHERE tier IS NOT NULL", this.adminServers);
        LOG.info("Checking sys.server_segments query as stateOnlyUser...", new Object[0]);
        verifySystemSchemaQuery(this.stateOnlyUserClient, "SELECT * FROM sys.server_segments WHERE segment_id LIKE 'auth_test%'", Collections.emptyList());
        LOG.info("Checking sys.tasks query as stateOnlyUser...", new Object[0]);
        verifySystemSchemaQuery(this.stateOnlyUserClient, "SELECT * FROM sys.tasks WHERE datasource IN ('auth_test')", Collections.emptyList());
    }

    @Test
    public void test_systemSchemaAccess_stateOnlyNoLdapGroupUser() throws Exception {
        HttpUtil.makeRequest(this.stateOnlyUserClient, HttpMethod.GET, this.config.getBrokerUrl() + "/status", (byte[]) null);
        LOG.info("Checking sys.segments query as stateOnlyNoLdapGroupUser...", new Object[0]);
        verifySystemSchemaQuery(this.stateOnlyNoLdapGroupUserClient, "SELECT * FROM sys.segments WHERE datasource IN ('auth_test')", Collections.emptyList());
        LOG.info("Checking sys.servers query as stateOnlyNoLdapGroupUser...", new Object[0]);
        verifySystemSchemaServerQuery(this.stateOnlyNoLdapGroupUserClient, "SELECT * FROM sys.servers WHERE tier IS NOT NULL", this.adminServers);
        LOG.info("Checking sys.server_segments query as stateOnlyNoLdapGroupUser...", new Object[0]);
        verifySystemSchemaQuery(this.stateOnlyNoLdapGroupUserClient, "SELECT * FROM sys.server_segments WHERE segment_id LIKE 'auth_test%'", Collections.emptyList());
        LOG.info("Checking sys.tasks query as stateOnlyNoLdapGroupUser...", new Object[0]);
        verifySystemSchemaQuery(this.stateOnlyNoLdapGroupUserClient, "SELECT * FROM sys.tasks WHERE datasource IN ('auth_test')", Collections.emptyList());
    }

    @Test
    public void test_unsecuredPathWithoutCredentials_allowed() {
        checkUnsecuredCoordinatorLoadQueuePath(this.httpClient);
    }

    @Test
    public void test_admin_loadStatus() throws Exception {
        checkLoadStatus(this.adminClient);
    }

    @Test
    public void test_admin_hasNodeAccess() {
        checkNodeAccess(this.adminClient);
    }

    @Test
    public void test_internalSystemUser_hasNodeAccess() {
        checkNodeAccess(this.internalSystemClient);
    }

    @Test
    public void test_druidUser_hasNodeAccess() {
        checkNodeAccess(this.druidUserClient);
    }

    @Test
    public void test_avaticaQuery_broker() {
        testAvaticaQuery(getBrokerAvacticaUrl());
    }

    @Test
    public void test_avaticaQuery_router() {
        testAvaticaQuery(getRouterAvacticaUrl());
    }

    @Test
    public void test_avaticaQueryAuthFailure_broker() throws Exception {
        testAvaticaAuthFailure(getBrokerAvacticaUrl());
    }

    @Test
    public void test_avaticaQueryAuthFailure_router() throws Exception {
        testAvaticaAuthFailure(getRouterAvacticaUrl());
    }

    @Test
    public void test_admin_optionsRequest() {
        verifyAdminOptionsRequest();
    }

    @Test
    public void test_authentication_invalidAuthName_fails() {
        verifyAuthenticatioInvalidAuthNameFails();
    }

    @Test
    public void test_authorization_invalidAuthName_fails() {
        verifyAuthorizationInvalidAuthNameFails();
    }

    @Test
    public void test_groupMappings_invalidAuthName_fails() {
        verifyGroupMappingsInvalidAuthNameFails();
    }

    @Test
    public void testMaliciousUser() {
        verifyMaliciousUser();
    }

    @Override // org.apache.druid.tests.security.AbstractAuthConfigurationTest
    void setupUsers() throws Exception {
        createRoleWithPermissionsAndGroupMapping("datasourceOnlyGroup", ImmutableMap.of("datasourceOnlyRole", Collections.singletonList(new ResourceAction(new Resource("auth_test", ResourceType.DATASOURCE), Action.READ))));
        createRoleWithPermissionsAndGroupMapping("datasourceWithStateGroup", ImmutableMap.of("datasourceWithStateRole", ImmutableList.of(new ResourceAction(new Resource("auth_test", ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource(".*", ResourceType.STATE), Action.READ))));
        ImmutableList of = ImmutableList.of(new ResourceAction(new Resource(".*", ResourceType.STATE), Action.READ));
        createRoleWithPermissionsAndGroupMapping("stateOnlyGroup", ImmutableMap.of("stateOnlyRole", of));
        createRoleWithPermissionsAndGroupMapping("druidGroup", ImmutableMap.of("druidrole", of));
        assignUserToRole("stateOnlyNoLdapGroup", "stateOnlyRole");
    }

    @Override // org.apache.druid.tests.security.AbstractAuthConfigurationTest
    void setupTestSpecificHttpClients() {
        this.druidUserClient = new CredentialedHttpClient(new BasicCredentials("druid", "helloworld"), this.httpClient);
        this.stateOnlyNoLdapGroupUserClient = new CredentialedHttpClient(new BasicCredentials("stateOnlyNoLdapGroup", "helloworld"), this.httpClient);
    }

    private void createRoleWithPermissionsAndGroupMapping(String str, Map<String, List<ResourceAction>> map) throws Exception {
        map.keySet().forEach(str2 -> {
            HttpUtil.makeRequest(this.adminClient, HttpMethod.POST, StringUtils.format("%s/druid-ext/basic-security/authorization/db/ldapauth/roles/%s", new Object[]{this.config.getCoordinatorUrl(), str2}), (byte[]) null);
        });
        for (Map.Entry<String, List<ResourceAction>> entry : map.entrySet()) {
            String key = entry.getKey();
            HttpUtil.makeRequest(this.adminClient, HttpMethod.POST, StringUtils.format("%s/druid-ext/basic-security/authorization/db/ldapauth/roles/%s/permissions", new Object[]{this.config.getCoordinatorUrl(), key}), this.jsonMapper.writeValueAsBytes(entry.getValue()));
        }
        String format = StringUtils.format("%sMapping", new Object[]{str});
        HttpUtil.makeRequest(this.adminClient, HttpMethod.POST, StringUtils.format("%s/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/%s", new Object[]{this.config.getCoordinatorUrl(), format}), this.jsonMapper.writeValueAsBytes(new BasicAuthorizerGroupMapping(format, StringUtils.format("cn=%s,ou=Groups,dc=example,dc=org", new Object[]{str}), map.keySet())));
    }

    private void assignUserToRole(String str, String str2) {
        HttpUtil.makeRequest(this.adminClient, HttpMethod.POST, StringUtils.format("%s/druid-ext/basic-security/authorization/db/ldapauth/users/%s", new Object[]{this.config.getCoordinatorUrl(), str}), (byte[]) null);
        HttpUtil.makeRequest(this.adminClient, HttpMethod.POST, StringUtils.format("%s/druid-ext/basic-security/authorization/db/ldapauth/users/%s/roles/%s", new Object[]{this.config.getCoordinatorUrl(), str, str2}), (byte[]) null);
    }

    @Override // org.apache.druid.tests.security.AbstractAuthConfigurationTest
    String getAuthenticatorName() {
        return LDAP_AUTHENTICATOR;
    }

    @Override // org.apache.druid.tests.security.AbstractAuthConfigurationTest
    String getAuthorizerName() {
        return LDAP_AUTHORIZER;
    }

    @Override // org.apache.druid.tests.security.AbstractAuthConfigurationTest
    String getExpectedAvaticaAuthError() {
        return EXPECTED_AVATICA_AUTH_ERROR;
    }
}
