package io.confluent.rbacdb.kafka;

import io.confluent.rbacdb.config.DbAuthStoreConfig;
import io.confluent.rbacdb.orm.RbacOrmStubService;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourcePatternFilter;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.InvalidScopeException;
import io.confluent.security.rbac.InvalidRoleBindingException;
import io.confluent.security.rbac.RbacRoles;
import java.util.Collection;
import java.util.Collections;
import org.apache.kafka.common.errors.InvalidRequestException;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.Utils;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

/* loaded from: input_file:io/confluent/rbacdb/kafka/DBAuthWriterValidationTest.class */
public class DBAuthWriterValidationTest {
    private final KafkaPrincipal alice = new KafkaPrincipal("User", "Alice");
    private final KafkaPrincipal bob = new KafkaPrincipal("User", "Bob");
    private final Scope rootScope = Scope.intermediateScope(new String[]{"org=testOrg"});
    private final Scope clusterA = new Scope.Builder(new String[]{"org=testOrg"}).withKafkaCluster("clusterA").build();
    private final Scope anotherClusterA = new Scope.Builder(new String[]{"org=anotherOrg"}).withKafkaCluster("clusterA").build();
    private final Scope invalidScope = new Scope(Collections.emptyList(), Collections.singletonMap("", "invalid"));
    private DbAuthWriter authWriter;
    private DbAuthStore authStore;

    @BeforeClass
    public void setUp() throws Exception {
        RbacRoles load = RbacRoles.load(getClass().getClassLoader(), "test_rbac_roles.json");
        RbacOrmStubService rbacOrmStubService = new RbacOrmStubService(load, this.rootScope);
        this.authStore = new DbAuthStore(load, this.rootScope, new DbAuthStoreConfig(DbAuthStoreDummyConfig.getConfig()), rbacOrmStubService, new Metrics());
        this.authWriter = this.authStore.writer();
    }

    @AfterClass
    public void tearDown() {
        if (this.authStore != null) {
            this.authStore.close();
        }
    }

    @Test(expectedExceptions = {InvalidRequestException.class})
    public void testClusterScopeAddResources() {
        this.authWriter.addResourceRoleBinding(this.bob, "Operator", this.clusterA, resources("topicA", "groupB"));
    }

    @Test(expectedExceptions = {InvalidRequestException.class})
    public void testClusterScopeRemoveResources() {
        this.authWriter.removeResourceRoleBinding(this.bob, "Operator", this.clusterA, resourceFilters("topicA", "groupB"));
    }

    @Test(expectedExceptions = {InvalidRequestException.class})
    public void testClusterScopeSetResources() {
        this.authWriter.replaceResourceRoleBinding(this.bob, "Operator", this.clusterA, resources("topicA", "groupB"));
    }

    @Test(expectedExceptions = {InvalidRequestException.class})
    public void testResourceScopeBindingWithoutResources() {
        this.authWriter.addClusterRoleBinding(this.alice, "Reader", this.clusterA);
    }

    @Test(expectedExceptions = {InvalidRequestException.class})
    public void testResourceScopeSetEmptyResources() {
        this.authWriter.replaceResourceRoleBinding(this.alice, "Reader", this.clusterA, Collections.emptySet());
    }

    @Test(expectedExceptions = {InvalidRequestException.class})
    public void testClusterScopeAtIntermediate() {
        this.authWriter.addClusterRoleBinding(this.alice, "Operator", this.rootScope);
    }

    @Test(expectedExceptions = {InvalidRequestException.class})
    public void testResourceScopeAtIntermediate() {
        this.authWriter.addClusterRoleBinding(this.alice, "Reader", this.rootScope);
    }

    @Test(expectedExceptions = {InvalidRoleBindingException.class})
    public void testUnknownRoleAddBinding() {
        this.authWriter.addClusterRoleBinding(this.bob, "SomeRole", this.clusterA);
    }

    @Test(expectedExceptions = {InvalidRoleBindingException.class})
    public void testUnknownRoleAddResources() {
        this.authWriter.addResourceRoleBinding(this.bob, "SomeRole", this.clusterA, resources("topicA", "groupB"));
    }

    @Test(expectedExceptions = {InvalidRoleBindingException.class})
    public void testUnknownRoleSetResources() {
        this.authWriter.replaceResourceRoleBinding(this.bob, "SomeRole", this.clusterA, resources("topicA", "groupB"));
    }

    @Test(expectedExceptions = {InvalidRoleBindingException.class})
    public void testUnknownRoleRemoveResources() {
        this.authWriter.removeResourceRoleBinding(this.bob, "SomeRole", this.clusterA, resourceFilters("topicA", "groupB"));
    }

    @Test(expectedExceptions = {InvalidRoleBindingException.class})
    public void testUnknownRoleRemoveBinding() {
        this.authWriter.removeRoleBinding(this.bob, "SomeRole", this.clusterA);
    }

    @Test(expectedExceptions = {InvalidScopeException.class})
    public void testUnknownScopeAddBinding() {
        this.authWriter.addClusterRoleBinding(this.alice, "Operator", this.anotherClusterA);
    }

    @Test(expectedExceptions = {InvalidScopeException.class})
    public void testUnknownScopeAddResources() {
        this.authWriter.addResourceRoleBinding(this.alice, "Reader", this.anotherClusterA, resources("topicA", "groupB"));
    }

    @Test(expectedExceptions = {InvalidScopeException.class})
    public void testUnknownScopeSetResources() {
        this.authWriter.replaceResourceRoleBinding(this.alice, "Reader", this.anotherClusterA, resources("topicA", "groupB"));
    }

    @Test(expectedExceptions = {InvalidScopeException.class})
    public void testUnknownScopeRemoveResources() {
        this.authWriter.removeResourceRoleBinding(this.alice, "Reader", this.anotherClusterA, resourceFilters("topicA", "groupB"));
    }

    @Test(expectedExceptions = {InvalidScopeException.class})
    public void testUnknownScopeRemoveBinding() {
        this.authWriter.removeRoleBinding(this.alice, "Operator", this.anotherClusterA);
    }

    @Test(expectedExceptions = {InvalidScopeException.class})
    public void testInvalidScopeAddBinding() {
        this.authWriter.addClusterRoleBinding(this.alice, "Operator", this.invalidScope);
    }

    @Test(expectedExceptions = {InvalidScopeException.class})
    public void testInvalidScopeAddResources() {
        this.authWriter.addResourceRoleBinding(this.alice, "Reader", this.invalidScope, resources("topicA", "groupB"));
    }

    @Test(expectedExceptions = {InvalidScopeException.class})
    public void testInvalidScopeSetResources() {
        this.authWriter.replaceResourceRoleBinding(this.alice, "Reader", this.invalidScope, resources("topicA", "groupB"));
    }

    @Test(expectedExceptions = {InvalidScopeException.class})
    public void testInvalidScopeRemoveResources() {
        this.authWriter.removeResourceRoleBinding(this.alice, "Reader", this.invalidScope, resourceFilters("topicA", "groupB"));
    }

    @Test(expectedExceptions = {InvalidScopeException.class})
    public void testInvalidScopeRemoveBinding() {
        this.authWriter.removeRoleBinding(this.alice, "Operator", this.invalidScope);
    }

    @Test(expectedExceptions = {InvalidRequestException.class})
    public void testNoEnclosingScope() {
        this.authWriter.addClusterRoleBinding(this.alice, "RegionManager", this.clusterA);
    }

    private Collection<ResourcePattern> resources(String str, String str2) {
        return Utils.mkSet(new ResourcePattern[]{topicResource(str), groupResource(str2)});
    }

    private Collection<ResourcePatternFilter> resourceFilters(String str, String str2) {
        return Utils.mkSet(new ResourcePatternFilter[]{topicResource(str).toFilter(), groupResource(str2).toFilter()});
    }

    private ResourcePattern topicResource(String str) {
        return new ResourcePattern("Topic", str, PatternType.LITERAL);
    }

    private ResourcePattern groupResource(String str) {
        return new ResourcePattern("Group", str, PatternType.LITERAL);
    }
}
