package io.confluent.rbacdb.kafka;

import io.confluent.rbacdb.config.DbAuthStoreConfig;
import io.confluent.rbacdb.exception.DbAuthStoreException;
import io.confluent.rbacdb.orm.RbacOrmService;
import io.confluent.rbacdb.orm.RbacOrmStubService;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourcePatternFilter;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.rbac.RbacRoles;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.apache.kafka.common.MetricName;
import org.apache.kafka.common.metrics.KafkaMetric;
import org.apache.kafka.common.metrics.MetricConfig;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.Utils;
import org.apache.kafka.test.TestUtils;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.testng.Assert;
import org.testng.AssertJUnit;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

/* loaded from: input_file:io/confluent/rbacdb/kafka/DBAuthWriterTest.class */
public class DBAuthWriterTest {
    private final KafkaPrincipal alice = new KafkaPrincipal("User", "Alice");
    private final KafkaPrincipal bob = new KafkaPrincipal("User", "Bob");
    KafkaPrincipal test = new KafkaPrincipal("User", "Test");
    private final Scope rootScope = Scope.intermediateScope(new String[]{"org=testOrg"});
    private final Scope clusterA = new Scope.Builder(new String[]{"org=testOrg"}).withKafkaCluster("clusterA").build();
    private final Scope clusterB = new Scope.Builder(new String[]{"org=testOrg"}).withKafkaCluster("clusterB").build();
    private final Scope region = new Scope.Builder(new String[]{"org=testOrg", "businessUnit=finance", "division=sales", "region=central"}).build();
    private Map<String, String> configMap;
    private DbAuthWriter authWriter;
    private RbacOrmService ormService;
    private Metrics metrics;

    @BeforeClass
    public void setUp() throws Exception {
        RbacRoles load = RbacRoles.load(getClass().getClassLoader(), "test_rbac_roles.json");
        this.ormService = new RbacOrmStubService(load, this.rootScope);
        this.metrics = new Metrics(new MetricConfig().timeWindow(1L, TimeUnit.SECONDS));
        this.configMap = DbAuthStoreDummyConfig.getConfig();
        this.authWriter = new DbAuthWriter(load, this.rootScope, new DbAuthStoreConfig(this.configMap), this.ormService, this.metrics);
    }

    @AfterClass
    public void tearDown() {
        if (this.authWriter != null) {
            this.authWriter.close();
        }
    }

    @Test
    public void testClusterScopeAssignment() {
        this.authWriter.addClusterRoleBinding(this.alice, "ClusterAdmin", this.clusterA).toCompletableFuture().join();
        AssertJUnit.assertEquals(Collections.emptySet(), rbacResources(this.alice, "ClusterAdmin", this.clusterA));
        this.authWriter.addClusterRoleBinding(this.bob, "Operator", this.clusterB).toCompletableFuture().join();
        AssertJUnit.assertEquals(Collections.emptySet(), rbacResources(this.bob, "Operator", this.clusterB));
        Assert.assertNull(rbacResources(this.bob, "Operator", this.clusterA));
        Assert.assertNull(rbacResources(this.bob, "ClusterAdmin", this.clusterB));
        this.authWriter.addClusterRoleBinding(this.alice, "Operator", this.clusterA).toCompletableFuture().join();
        AssertJUnit.assertEquals(Collections.emptySet(), rbacResources(this.alice, "Operator", this.clusterA));
        AssertJUnit.assertEquals(Collections.emptySet(), rbacResources(this.alice, "ClusterAdmin", this.clusterA));
        this.authWriter.removeRoleBinding(this.alice, "ClusterAdmin", this.clusterA).toCompletableFuture().join();
        Assert.assertNull(rbacResources(this.alice, "ClusterAdmin", this.clusterA));
        AssertJUnit.assertEquals(Collections.emptySet(), rbacResources(this.alice, "Operator", this.clusterA));
        this.authWriter.removeRoleBinding(this.alice, "Operator", this.clusterA).toCompletableFuture().join();
        Assert.assertNull(rbacResources(this.alice, "Operator", this.clusterA));
        AssertJUnit.assertEquals(Collections.emptySet(), rbacResources(this.bob, "Operator", this.clusterB));
    }

    @Test
    public void testResourceScopeBinding() {
        Collection<ResourcePattern> resources = resources("aliceTopicA", "aliceGroupB");
        this.authWriter.replaceResourceRoleBinding(this.alice, "Reader", this.clusterA, resources).toCompletableFuture().join();
        AssertJUnit.assertEquals(resources, rbacResources(this.alice, "Reader", this.clusterA));
        Collection<ResourcePattern> resources2 = resources("aliceTopicA", "aliceGroupD");
        this.authWriter.addResourceRoleBinding(this.alice, "Reader", this.clusterA, resources2).toCompletableFuture().join();
        AssertJUnit.assertEquals(3, rbacResources(this.alice, "Reader", this.clusterA).size());
        resources.addAll(resources2);
        AssertJUnit.assertEquals(resources, rbacResources(this.alice, "Reader", this.clusterA));
        Collection<ResourcePattern> resources3 = resources("bobTopic", "bobGroup");
        this.authWriter.addResourceRoleBinding(this.bob, "Writer", this.clusterB, resources3).toCompletableFuture().join();
        AssertJUnit.assertEquals(resources3, rbacResources(this.bob, "Writer", this.clusterB));
        Assert.assertNull(rbacResources(this.bob, "Writer", this.clusterA));
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("Group", "finance");
        Collection<ResourcePattern> resources4 = resources("financeTopic", "financeGroup");
        this.authWriter.replaceResourceRoleBinding(kafkaPrincipal, "Writer", this.clusterB, resources4).toCompletableFuture().join();
        AssertJUnit.assertEquals(resources4, rbacResources(kafkaPrincipal, "Writer", this.clusterB));
        Collection<ResourcePattern> resources5 = resources("financeTopic2", "financeGroup");
        this.authWriter.replaceResourceRoleBinding(kafkaPrincipal, "Writer", this.clusterB, resources5).toCompletableFuture().join();
        AssertJUnit.assertEquals(resources5, rbacResources(kafkaPrincipal, "Writer", this.clusterB));
        this.authWriter.removeRoleBinding(this.bob, "Writer", this.clusterA).toCompletableFuture().join();
        AssertJUnit.assertEquals(resources3, rbacResources(this.bob, "Writer", this.clusterB));
        this.authWriter.removeRoleBinding(this.bob, "Writer", this.clusterB).toCompletableFuture().join();
        Assert.assertNull(rbacResources(this.bob, "Writer", this.clusterB));
        this.authWriter.removeResourceRoleBinding(this.alice, "Reader", this.clusterA, resourceFilters("some.topic", "some.group")).toCompletableFuture().join();
        AssertJUnit.assertEquals(resources, rbacResources(this.alice, "Reader", this.clusterA));
        this.authWriter.removeResourceRoleBinding(this.alice, "Reader", this.clusterA, Collections.singleton(groupResource("aliceGroupB").toFilter())).toCompletableFuture().join();
        resources.remove(groupResource("aliceGroupB"));
        AssertJUnit.assertEquals(resources, rbacResources(this.alice, "Reader", this.clusterA));
        this.authWriter.removeResourceRoleBinding(this.alice, "Reader", this.clusterA, (Collection) resources.stream().map((v0) -> {
            return v0.toFilter();
        }).collect(Collectors.toSet())).toCompletableFuture().join();
        Assert.assertNull(rbacResources(this.alice, "Reader", this.clusterA));
    }

    @Test
    public void testMultiScopeAssignment() {
        this.authWriter.addClusterRoleBinding(this.alice, "RegionManager", this.region).toCompletableFuture().join();
        AssertJUnit.assertEquals(Collections.emptySet(), rbacResources(this.alice, "RegionManager", this.region));
    }

    @Test
    public void testResourceRemoveFilter() {
        ResourceType resourceType = new ResourceType("Topic");
        ResourceType resourceType2 = new ResourceType("Group");
        ResourcePattern resourcePattern = new ResourcePattern(resourceType, "finance", PatternType.PREFIXED);
        ResourcePattern resourcePattern2 = new ResourcePattern(resourceType2, "finance", PatternType.PREFIXED);
        ResourcePattern resourcePattern3 = new ResourcePattern(resourceType, "financeTopicA", PatternType.LITERAL);
        ResourcePattern resourcePattern4 = new ResourcePattern(resourceType2, "aliceGroup", PatternType.LITERAL);
        HashSet hashSet = new HashSet();
        hashSet.add(resourcePattern);
        hashSet.add(resourcePattern2);
        hashSet.add(resourcePattern3);
        hashSet.add(resourcePattern4);
        this.authWriter.addResourceRoleBinding(this.alice, "Reader", this.clusterA, hashSet).toCompletableFuture().join();
        AssertJUnit.assertEquals(hashSet, rbacResources(this.alice, "Reader", this.clusterA));
        this.authWriter.removeResourceRoleBinding(this.alice, "Reader", this.clusterA, Utils.mkSet(new ResourcePatternFilter[]{new ResourcePatternFilter(resourceType, "financeTopicA", PatternType.MATCH)})).toCompletableFuture().join();
        AssertJUnit.assertEquals(Utils.mkSet(new ResourcePattern[]{resourcePattern2, resourcePattern4}), rbacResources(this.alice, "Reader", this.clusterA));
        this.authWriter.replaceResourceRoleBinding(this.alice, "Reader", this.clusterA, hashSet).toCompletableFuture().join();
        this.authWriter.removeResourceRoleBinding(this.alice, "Reader", this.clusterA, Utils.mkSet(new ResourcePatternFilter[]{new ResourcePatternFilter((ResourceType) null, "financeTopicA", PatternType.MATCH)})).toCompletableFuture().join();
        AssertJUnit.assertEquals(Utils.mkSet(new ResourcePattern[]{resourcePattern4}), rbacResources(this.alice, "Reader", this.clusterA));
        this.authWriter.replaceResourceRoleBinding(this.alice, "Reader", this.clusterA, hashSet).toCompletableFuture().join();
        this.authWriter.removeResourceRoleBinding(this.alice, "Reader", this.clusterA, Utils.mkSet(new ResourcePatternFilter[]{new ResourcePatternFilter((ResourceType) null, "financeTopicA", PatternType.ANY)})).toCompletableFuture().join();
        AssertJUnit.assertEquals(Utils.mkSet(new ResourcePattern[]{resourcePattern4, resourcePattern2, resourcePattern}), rbacResources(this.alice, "Reader", this.clusterA));
    }

    private Collection<ResourcePattern> rbacResources(KafkaPrincipal kafkaPrincipal, String str, Scope scope) {
        return this.ormService.rbacResources(kafkaPrincipal, str, scope);
    }

    private Collection<ResourcePattern> resources(String str, String str2) {
        return Utils.mkSet(new ResourcePattern[]{topicResource(str), groupResource(str2)});
    }

    private Collection<ResourcePatternFilter> resourceFilters(String str, String str2) {
        return Utils.mkSet(new ResourcePatternFilter[]{topicResource(str).toFilter(), groupResource(str2).toFilter()});
    }

    private ResourcePattern topicResource(String str) {
        return new ResourcePattern("Topic", str, PatternType.LITERAL);
    }

    private ResourcePattern groupResource(String str) {
        return new ResourcePattern("Group", str, PatternType.LITERAL);
    }

    @Test
    public void testRequestRateMetric() throws InterruptedException {
        for (int i = 0; i < 10; i++) {
            this.authWriter.addClusterRoleBinding(this.test, "ClusterAdmin", this.clusterA).toCompletableFuture().join();
        }
        verifyMetricValue(this.metrics, "request-rate");
        for (int i2 = 0; i2 < 10; i2++) {
            this.authWriter.removeRoleBinding(this.test, "ClusterAdmin", this.clusterA).toCompletableFuture().join();
        }
        verifyMetricValue(this.metrics, "request-rate");
        Collection<ResourcePattern> resources = resources("aliceTopic", "aliceGroup");
        for (int i3 = 0; i3 < 10; i3++) {
            this.authWriter.addResourceRoleBinding(this.test, "Reader", this.clusterA, resources).toCompletableFuture().join();
        }
        verifyMetricValue(this.metrics, "request-rate");
        ResourceType resourceType = new ResourceType("Topic");
        for (int i4 = 0; i4 < 10; i4++) {
            this.authWriter.removeResourceRoleBinding(this.test, "Reader", this.clusterA, Utils.mkSet(new ResourcePatternFilter[]{new ResourcePatternFilter(resourceType, "financeTopicA", PatternType.MATCH)})).toCompletableFuture().join();
        }
        verifyMetricValue(this.metrics, "request-rate");
        for (int i5 = 0; i5 < 10; i5++) {
            this.authWriter.replaceResourceRoleBinding(this.test, "Reader", this.clusterA, resources).toCompletableFuture().join();
        }
        verifyMetricValue(this.metrics, "request-rate");
    }

    @Test
    public void testErrorRateMetric() throws InterruptedException {
        RbacRoles load = RbacRoles.load(getClass().getClassLoader(), "test_rbac_roles.json");
        RbacOrmStubService rbacOrmStubService = (RbacOrmStubService) Mockito.mock(RbacOrmStubService.class);
        ((RbacOrmStubService) Mockito.doThrow(DbAuthStoreException.class).when(rbacOrmStubService)).addRoleBinding((KafkaPrincipal) ArgumentMatchers.any(), (KafkaPrincipal) ArgumentMatchers.any(), (String) ArgumentMatchers.any(), (Scope) ArgumentMatchers.any(), (String) ArgumentMatchers.any());
        ((RbacOrmStubService) Mockito.doThrow(DbAuthStoreException.class).when(rbacOrmStubService)).removeRoleBinding((KafkaPrincipal) ArgumentMatchers.any(), (KafkaPrincipal) ArgumentMatchers.any(), (String) ArgumentMatchers.any(), (Scope) ArgumentMatchers.any(), (String) ArgumentMatchers.any());
        ((RbacOrmStubService) Mockito.doThrow(DbAuthStoreException.class).when(rbacOrmStubService)).addResourceRoleBindings((KafkaPrincipal) ArgumentMatchers.any(), (KafkaPrincipal) ArgumentMatchers.any(), (String) ArgumentMatchers.any(), (Scope) ArgumentMatchers.any(), (Collection) ArgumentMatchers.any(), (String) ArgumentMatchers.any());
        ((RbacOrmStubService) Mockito.doThrow(DbAuthStoreException.class).when(rbacOrmStubService)).removeResourceRoleBindings((KafkaPrincipal) ArgumentMatchers.any(), (KafkaPrincipal) ArgumentMatchers.any(), (String) ArgumentMatchers.any(), (Scope) ArgumentMatchers.any(), (Collection) ArgumentMatchers.any(), (String) ArgumentMatchers.any());
        ((RbacOrmStubService) Mockito.doThrow(DbAuthStoreException.class).when(rbacOrmStubService)).replaceResourceRoleBindings((KafkaPrincipal) ArgumentMatchers.any(), (KafkaPrincipal) ArgumentMatchers.any(), (String) ArgumentMatchers.any(), (Scope) ArgumentMatchers.any(), (Collection) ArgumentMatchers.any(), (String) ArgumentMatchers.any());
        DbAuthStoreConfig dbAuthStoreConfig = new DbAuthStoreConfig(this.configMap);
        Metrics metrics = new Metrics(new MetricConfig().timeWindow(1L, TimeUnit.SECONDS));
        DbAuthWriter dbAuthWriter = new DbAuthWriter(load, this.rootScope, dbAuthStoreConfig, rbacOrmStubService, metrics);
        Throwable th = null;
        for (int i = 0; i < 10; i++) {
            try {
                try {
                    try {
                        dbAuthWriter.addClusterRoleBinding(Optional.empty(), this.test, "ClusterAdmin", this.clusterA, "no reason").toCompletableFuture().join();
                    } catch (Throwable th2) {
                        th = th2;
                        throw th2;
                    }
                } catch (Throwable th3) {
                    if (dbAuthWriter != null) {
                        if (th != null) {
                            try {
                                dbAuthWriter.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            dbAuthWriter.close();
                        }
                    }
                    throw th3;
                }
            } catch (Exception e) {
            }
        }
        verifyMetricValue(metrics, "request-error-rate");
        for (int i2 = 0; i2 < 10; i2++) {
            try {
                dbAuthWriter.removeRoleBinding(this.test, "ClusterAdmin", this.clusterA).toCompletableFuture().join();
            } catch (Exception e2) {
            }
        }
        verifyMetricValue(metrics, "request-error-rate");
        Collection<ResourcePattern> resources = resources("aliceTopic", "aliceGroup");
        for (int i3 = 0; i3 < 10; i3++) {
            try {
                dbAuthWriter.addResourceRoleBinding(this.test, "Reader", this.clusterA, resources).toCompletableFuture().join();
            } catch (Exception e3) {
            }
        }
        verifyMetricValue(metrics, "request-error-rate");
        ResourceType resourceType = new ResourceType("Topic");
        for (int i4 = 0; i4 < 10; i4++) {
            try {
                dbAuthWriter.removeResourceRoleBinding(this.test, "Reader", this.clusterA, Utils.mkSet(new ResourcePatternFilter[]{new ResourcePatternFilter(resourceType, "financeTopicA", PatternType.MATCH)})).toCompletableFuture().join();
            } catch (Exception e4) {
            }
        }
        verifyMetricValue(metrics, "request-error-rate");
        for (int i5 = 0; i5 < 10; i5++) {
            try {
                dbAuthWriter.replaceResourceRoleBinding(this.test, "Reader", this.clusterA, resources).toCompletableFuture().join();
            } catch (Exception e5) {
            }
        }
        verifyMetricValue(metrics, "request-error-rate");
        if (dbAuthWriter != null) {
            if (0 == 0) {
                dbAuthWriter.close();
                return;
            }
            try {
                dbAuthWriter.close();
            } catch (Throwable th5) {
                th.addSuppressed(th5);
            }
        }
    }

    private void verifyMetricValue(Metrics metrics, String str) throws InterruptedException {
        Assert.assertTrue(TestUtils.getMetricValue(metrics, str) > 0.0d);
        Thread.sleep(2000L);
        Assert.assertEquals(Double.valueOf(TestUtils.getMetricValue(metrics, str)), Double.valueOf(0.0d));
    }

    @Test
    public void testThreadPoolMetrics() {
        RbacRoles load = RbacRoles.load(getClass().getClassLoader(), "test_rbac_roles.json");
        CountDownLatch countDownLatch = new CountDownLatch(1);
        RbacOrmService rbacOrmService = (RbacOrmService) Mockito.mock(RbacOrmStubService.class);
        ((RbacOrmService) Mockito.doAnswer(invocationOnMock -> {
            countDownLatch.await();
            return "";
        }).when(rbacOrmService)).addRoleBinding((KafkaPrincipal) ArgumentMatchers.any(), (KafkaPrincipal) ArgumentMatchers.any(), (String) ArgumentMatchers.any(), (Scope) ArgumentMatchers.any(), (String) ArgumentMatchers.any());
        DbAuthStoreConfig dbAuthStoreConfig = new DbAuthStoreConfig(this.configMap);
        Metrics metrics = new Metrics();
        DbAuthWriter dbAuthWriter = new DbAuthWriter(load, this.rootScope, dbAuthStoreConfig, rbacOrmService, metrics);
        Throwable th = null;
        try {
            verifyThreadPoolMetric(metrics, 0.0d, 0, 0.0d);
            LinkedList linkedList = new LinkedList();
            for (int i = 0; i < 10; i++) {
                try {
                    linkedList.add(dbAuthWriter.addClusterRoleBinding(this.test, "ClusterAdmin", this.clusterA).toCompletableFuture());
                } catch (Exception e) {
                }
            }
            verifyThreadPoolMetric(metrics, 0.0d, 10, 1.0d);
            for (int i2 = 0; i2 < 10; i2++) {
                try {
                    linkedList.add(dbAuthWriter.addClusterRoleBinding(this.test, "ClusterAdmin", this.clusterA).toCompletableFuture());
                } catch (Exception e2) {
                }
            }
            verifyThreadPoolMetric(metrics, 10.0d, 10, 1.0d);
            countDownLatch.countDown();
            linkedList.forEach((v0) -> {
                v0.join();
            });
            verifyThreadPoolMetric(metrics, 0.0d, 0, 0.0d);
            if (dbAuthWriter != null) {
                if (0 == 0) {
                    dbAuthWriter.close();
                    return;
                }
                try {
                    dbAuthWriter.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (dbAuthWriter != null) {
                if (0 != 0) {
                    try {
                        dbAuthWriter.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    dbAuthWriter.close();
                }
            }
            throw th3;
        }
    }

    private void verifyThreadPoolMetric(Metrics metrics, double d, int i, double d2) {
        Assert.assertEquals(Double.valueOf(TestUtils.getMetricValue(metrics, "request-queue-size")), Double.valueOf(d));
        Assert.assertEquals(getIntMetricValue(metrics, "active-task-count"), i);
        Assert.assertEquals(Double.valueOf(TestUtils.getMetricValue(metrics, "thread-pool-usage")), Double.valueOf(d2));
    }

    public static int getIntMetricValue(Metrics metrics, String str) {
        Optional findFirst = metrics.metrics().entrySet().stream().filter(entry -> {
            return ((MetricName) entry.getKey()).name().equals(str);
        }).map((v0) -> {
            return v0.getValue();
        }).findFirst();
        if (findFirst.isPresent()) {
            return ((Integer) ((KafkaMetric) findFirst.get()).metricValue()).intValue();
        }
        return -1;
    }
}
