package org.apache.storm.security.auth.authorizer;

import java.util.HashMap;
import org.apache.storm.security.auth.IAuthorizer;
import org.apache.storm.security.auth.KerberosPrincipalToLocal;
import org.apache.storm.security.auth.ReqContext;
import org.apache.storm.security.auth.SingleUserPrincipal;
import org.apache.storm.shade.com.google.common.collect.ImmutableMap;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/storm/security/auth/authorizer/DRPCSimpleACLAuthorizerTest.class */
public class DRPCSimpleACLAuthorizerTest {
    private static final String function = "jump";
    private static final String partialFunction = "partial";
    private static final String wrongFunction = "wrongFunction";
    private static final String aclFile = "drpc-simple-acl-test-scenario.yaml";
    private static final ReqContext aliceContext = makeMockContext("alice");
    private static final ReqContext aliceKerbContext = makeMockContext("alice@SOME.RELM");
    private static final ReqContext bobContext = makeMockContext("bob");
    private static final ReqContext charlieContext = makeMockContext("charlie");
    private static IAuthorizer strictHandler;
    private static IAuthorizer permissiveHandler;

    @BeforeClass
    public static void setup() {
        strictHandler = new DRPCSimpleACLAuthorizer();
        strictHandler.prepare(ImmutableMap.of("drpc.authorizer.acl.strict", true, "drpc.authorizer.acl.filename", aclFile, "storm.principal.tolocal", KerberosPrincipalToLocal.class.getName()));
        permissiveHandler = new DRPCSimpleACLAuthorizer();
        permissiveHandler.prepare(ImmutableMap.of("drpc.authorizer.acl.strict", false, "drpc.authorizer.acl.filename", aclFile, "storm.principal.tolocal", KerberosPrincipalToLocal.class.getName()));
    }

    private static ReqContext makeMockContext(String str) {
        ReqContext reqContext = (ReqContext) Mockito.mock(ReqContext.class);
        Mockito.when(reqContext.principal()).thenReturn(new SingleUserPrincipal(str));
        return reqContext;
    }

    @Test
    public void test_partial_authorization() {
        Assert.assertFalse("Deny execute to unauthroized user", isPermitted(strictHandler, ReqContext.context(), "execute", partialFunction));
        Assert.assertTrue("Allow execute to authorized kerb user for correct function", isPermitted(strictHandler, aliceKerbContext, "execute", partialFunction));
        Assert.assertFalse("Deny fetchRequest to unauthorized user for correct function", isPermitted(strictHandler, aliceKerbContext, "fetchRequest", partialFunction));
    }

    @Test
    public void test_client_authorization_strict() {
        Assert.assertFalse("Deny execute to unauthroized user", isPermitted(strictHandler, ReqContext.context(), "execute", function));
        Assert.assertFalse("Deny execute to valid user for incorrect function", isPermitted(strictHandler, aliceContext, "execute", wrongFunction));
        Assert.assertTrue("Allow execute to authorized kerb user for correct function", isPermitted(strictHandler, aliceKerbContext, "execute", function));
        Assert.assertTrue("Allow execute to authorized user for correct function", isPermitted(strictHandler, aliceContext, "execute", function));
    }

    @Test
    public void test_client_authorization_permissive() {
        Assert.assertFalse("deny execute to unauthorized user for correct function", isPermitted(permissiveHandler, ReqContext.context(), "execute", function));
        Assert.assertTrue("allow execute for user for incorrect function when permissive", isPermitted(permissiveHandler, aliceContext, "execute", wrongFunction));
        Assert.assertTrue("allow execute for user for incorrect function when permissive", isPermitted(permissiveHandler, aliceKerbContext, "execute", wrongFunction));
        Assert.assertTrue("allow execute to authorized user for correct function", isPermitted(permissiveHandler, bobContext, "execute", function));
    }

    @Test
    public void test_invocation_authorization_strict() {
        for (String str : new String[]{"fetchRequest", "failRequest", "result"}) {
            Assert.assertFalse("Deny " + str + " to unauthorized user for correct function", isPermitted(strictHandler, aliceContext, str, function));
            Assert.assertFalse("Deny " + str + " to user for incorrect function when strict", isPermitted(strictHandler, charlieContext, str, wrongFunction));
            Assert.assertTrue("allow " + str + " to authorized user for correct function", isPermitted(strictHandler, charlieContext, str, function));
        }
    }

    @Test
    public void test_invocation_authorization_permissive() {
        for (String str : new String[]{"fetchRequest", "failRequest", "result"}) {
            Assert.assertFalse("Deny " + str + " to unauthorized user for correct function", isPermitted(permissiveHandler, bobContext, str, function));
            Assert.assertTrue("Allow " + str + " to user for incorrect function when permissive", isPermitted(permissiveHandler, charlieContext, str, wrongFunction));
            Assert.assertTrue("allow " + str + " to authorized user", isPermitted(permissiveHandler, charlieContext, str, function));
        }
    }

    @Test
    public void test_deny_when_no_function_given() {
        Assert.assertFalse(strictHandler.permit(aliceContext, "execute", new HashMap()));
        Assert.assertFalse(isPermitted(strictHandler, aliceContext, "execute", null));
        Assert.assertFalse(permissiveHandler.permit(bobContext, "execute", new HashMap()));
        Assert.assertFalse(isPermitted(permissiveHandler, bobContext, "execute", null));
    }

    @Test
    public void test_deny_when_invalid_user_given() {
        Assert.assertFalse(isPermitted(strictHandler, (ReqContext) Mockito.mock(ReqContext.class), "execute", function));
        Assert.assertFalse(isPermitted(strictHandler, null, "execute", function));
        Assert.assertFalse(isPermitted(permissiveHandler, (ReqContext) Mockito.mock(ReqContext.class), "execute", function));
        Assert.assertFalse(isPermitted(permissiveHandler, null, "execute", function));
    }

    private boolean isPermitted(IAuthorizer iAuthorizer, ReqContext reqContext, String str, String str2) {
        HashMap hashMap = new HashMap();
        hashMap.put("function.name", str2);
        return iAuthorizer.permit(reqContext, str, hashMap);
    }
}
