package io.confluent.rbacdb.kafka;

import io.confluent.rbacdb.config.DbAuthStoreConfig;
import io.confluent.rbacdb.orm.RbacOrmService;
import io.confluent.rbacdb.orm.RbacOrmStubService;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourcePatternFilter;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.rbac.RbacRoles;
import io.confluent.security.rbac.RoleBinding;
import io.confluent.security.rbac.RoleBindingFilter;
import io.confluent.security.test.utils.RbacTestUtils;
import java.util.Collection;
import java.util.Collections;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.Utils;
import org.mockito.Mockito;
import org.testng.AssertJUnit;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:io/confluent/rbacdb/kafka/DBAuthCacheTest.class */
public class DBAuthCacheTest {
    private final Scope clusterA = Scope.kafkaClusterScope("clusterA");
    private final Scope clusterB = Scope.kafkaClusterScope("clusterB");
    private final Scope clusterC = Scope.kafkaClusterScope("clusterC");
    private final ResourcePattern clusterResource = new ResourcePattern(new ResourceType("Cluster"), "kafka-cluster", PatternType.LITERAL);
    private DbAuthCache authCache;
    private DbAuthWriter dbAuthWriter;

    @BeforeMethod
    public void setUp() throws Exception {
        RbacRoles load = RbacRoles.load(getClass().getClassLoader(), "test_rbac_roles.json");
        RbacOrmStubService rbacOrmStubService = new RbacOrmStubService(load, Scope.ROOT_SCOPE);
        DbAuthStoreConfig dbAuthStoreConfig = new DbAuthStoreConfig(DbAuthStoreDummyConfig.getConfig());
        this.dbAuthWriter = new DbAuthWriter(load, Scope.ROOT_SCOPE, dbAuthStoreConfig, rbacOrmStubService, new Metrics());
        this.authCache = new DbAuthCache(load, Scope.ROOT_SCOPE, dbAuthStoreConfig, rbacOrmStubService, new Metrics());
    }

    @AfterMethod
    public void tearDown() {
    }

    @Test
    public void testAuthCacheClusterLookupRolebindingsByScope() throws Exception {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", "Alice");
        updateRoleBinding(kafkaPrincipal, "ClusterAdmin", this.clusterA);
        AssertJUnit.assertEquals(1, this.authCache.rbacRoleBindings(this.clusterA).size());
        verifyPermissions(kafkaPrincipal, this.clusterResource, "DescribeConfigs", "AlterConfigs");
        RoleBinding roleBinding = new RoleBinding(kafkaPrincipal, "ClusterAdmin", Scope.kafkaClusterScope("clusterA"), (Collection) null);
        AssertJUnit.assertEquals(Collections.singleton(roleBinding), this.authCache.rbacRoleBindings(this.clusterA));
        AssertJUnit.assertEquals(Collections.singleton(roleBinding), this.authCache.rbacRoleBindings(Utils.mkSet(new Scope[]{this.clusterA, this.clusterB})));
        AssertJUnit.assertTrue(this.authCache.rbacRoleBindings(this.clusterB).isEmpty());
        AssertJUnit.assertTrue(this.authCache.rbacRoleBindings(Utils.mkSet(new Scope[]{this.clusterB})).isEmpty());
        updateRoleBinding(kafkaPrincipal, "ClusterAdmin", this.clusterB);
        updateRoleBinding(kafkaPrincipal, "ClusterAdmin", this.clusterC);
        RoleBinding roleBinding2 = new RoleBinding(kafkaPrincipal, "ClusterAdmin", this.clusterB, (Collection) null);
        AssertJUnit.assertEquals(Collections.singleton(roleBinding2), this.authCache.rbacRoleBindings(this.clusterB));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding, roleBinding2}), this.authCache.rbacRoleBindings(Utils.mkSet(new Scope[]{this.clusterA, this.clusterB})));
        deleteRoleBinding(kafkaPrincipal, "ClusterAdmin", this.clusterA);
        deleteRoleBinding(kafkaPrincipal, "ClusterAdmin", this.clusterB);
        AssertJUnit.assertTrue(this.authCache.rbacRoleBindings(this.clusterA).isEmpty());
        AssertJUnit.assertTrue(this.authCache.rbacRoleBindings(this.clusterB).isEmpty());
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{new RoleBinding(kafkaPrincipal, "ClusterAdmin", this.clusterC, (Collection) null)}), this.authCache.rbacRoleBindings(Utils.mkSet(new Scope[]{this.clusterA, this.clusterB, this.clusterC})));
        AssertJUnit.assertFalse(this.authCache.rbacRoleBindings(this.clusterC).isEmpty());
        deleteRoleBinding(kafkaPrincipal, "ClusterAdmin", this.clusterC);
    }

    @Test
    public void testResourceRoleBindingFilter() throws Exception {
        ResourceType resourceType = new ResourceType("Topic");
        ResourceType resourceType2 = new ResourceType("Group");
        ResourcePattern resourcePattern = new ResourcePattern(resourceType, "generalTopic", PatternType.LITERAL);
        ResourcePattern resourcePattern2 = new ResourcePattern(resourceType, "financeTopic", PatternType.LITERAL);
        ResourcePattern resourcePattern3 = new ResourcePattern(resourceType2, "generalConsumerGroup", PatternType.LITERAL);
        ResourcePattern resourcePattern4 = new ResourcePattern(resourceType, "finance", PatternType.PREFIXED);
        ResourcePattern resourcePattern5 = new ResourcePattern(resourceType2, "finance", PatternType.PREFIXED);
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", "Alice");
        KafkaPrincipal kafkaPrincipal2 = new KafkaPrincipal("User", "Bob");
        updateResourceRoleBinding(kafkaPrincipal, "Reader", Scope.kafkaClusterScope("financeCluster"), Utils.mkSet(new ResourcePattern[]{resourcePattern4, resourcePattern5}));
        updateResourceRoleBinding(kafkaPrincipal, "Writer", Scope.kafkaClusterScope("financeCluster"), Utils.mkSet(new ResourcePattern[]{resourcePattern2}));
        updateResourceRoleBinding(kafkaPrincipal, "Reader", Scope.kafkaClusterScope("generalCluster"), Utils.mkSet(new ResourcePattern[]{resourcePattern, resourcePattern3}));
        updateResourceRoleBinding(kafkaPrincipal2, "Writer", Scope.kafkaClusterScope("generalCluster"), Collections.singleton(resourcePattern));
        RoleBinding roleBinding = new RoleBinding(kafkaPrincipal, "Writer", Scope.kafkaClusterScope("financeCluster"), Utils.mkSet(new ResourcePattern[]{resourcePattern2}));
        RoleBinding roleBinding2 = new RoleBinding(kafkaPrincipal2, "Writer", Scope.kafkaClusterScope("generalCluster"), Utils.mkSet(new ResourcePattern[]{resourcePattern}));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding}), this.authCache.rbacRoleBindings(new RoleBindingFilter(kafkaPrincipal, "Writer", Scope.kafkaClusterScope("financeCluster"), new ResourcePatternFilter(resourceType, resourcePattern2.name(), PatternType.LITERAL))));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding, roleBinding2}), this.authCache.rbacRoleBindings(new RoleBindingFilter((KafkaPrincipal) null, "Writer", (Scope) null, (ResourcePatternFilter) null)));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding2}), this.authCache.rbacRoleBindings(new RoleBindingFilter(kafkaPrincipal2, "Writer", (Scope) null, (ResourcePatternFilter) null)));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding2}), this.authCache.rbacRoleBindings(new RoleBindingFilter((KafkaPrincipal) null, "Writer", Scope.kafkaClusterScope("generalCluster"), (ResourcePatternFilter) null)));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding2}), this.authCache.rbacRoleBindings(new RoleBindingFilter(kafkaPrincipal2, "Writer", Scope.kafkaClusterScope("generalCluster"), new ResourcePatternFilter(resourceType, (String) null, PatternType.LITERAL))));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding2}), this.authCache.rbacRoleBindings(new RoleBindingFilter(kafkaPrincipal2, "Writer", Scope.kafkaClusterScope("generalCluster"), new ResourcePatternFilter(resourceType, resourcePattern.name(), PatternType.ANY))));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding2, roleBinding}), this.authCache.rbacRoleBindings(new RoleBindingFilter((KafkaPrincipal) null, "Writer", (Scope) null, new ResourcePatternFilter(resourceType, (String) null, PatternType.ANY))));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding2}), this.authCache.rbacRoleBindings(new RoleBindingFilter((KafkaPrincipal) null, "Writer", (Scope) null, new ResourcePatternFilter(ResourceType.ALL, "generalTopic", PatternType.MATCH))));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding2, roleBinding}), this.authCache.rbacRoleBindings(new RoleBindingFilter((KafkaPrincipal) null, "Writer", (Scope) null, new ResourcePatternFilter((ResourceType) null, (String) null, (PatternType) null))));
        RoleBinding roleBinding3 = new RoleBinding(kafkaPrincipal, "Reader", Scope.kafkaClusterScope("financeCluster"), Utils.mkSet(new ResourcePattern[]{resourcePattern4}));
        RoleBinding roleBinding4 = new RoleBinding(kafkaPrincipal, "Reader", Scope.kafkaClusterScope("financeCluster"), Utils.mkSet(new ResourcePattern[]{resourcePattern4, resourcePattern5}));
        RoleBinding roleBinding5 = new RoleBinding(kafkaPrincipal, "Reader", Scope.kafkaClusterScope("generalCluster"), Utils.mkSet(new ResourcePattern[]{resourcePattern}));
        RoleBinding roleBinding6 = new RoleBinding(kafkaPrincipal, "Reader", Scope.kafkaClusterScope("generalCluster"), Utils.mkSet(new ResourcePattern[]{resourcePattern, resourcePattern3}));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding4}), this.authCache.rbacRoleBindings(new RoleBindingFilter((KafkaPrincipal) null, "Reader", Scope.kafkaClusterScope("financeCluster"), new ResourcePatternFilter((ResourceType) null, (String) null, PatternType.ANY))));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding4, roleBinding6}), this.authCache.rbacRoleBindings(new RoleBindingFilter(kafkaPrincipal, "Reader", (Scope) null, new ResourcePatternFilter((ResourceType) null, (String) null, PatternType.ANY))));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding4}), this.authCache.rbacRoleBindings(new RoleBindingFilter(kafkaPrincipal, "Reader", (Scope) null, new ResourcePatternFilter((ResourceType) null, (String) null, PatternType.PREFIXED))));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding6}), this.authCache.rbacRoleBindings(new RoleBindingFilter(kafkaPrincipal, "Reader", (Scope) null, new ResourcePatternFilter((ResourceType) null, (String) null, PatternType.LITERAL))));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding4, roleBinding6}), this.authCache.rbacRoleBindings(new RoleBindingFilter(kafkaPrincipal, "Reader", (Scope) null, new ResourcePatternFilter((ResourceType) null, (String) null, PatternType.MATCH))));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding3, roleBinding5}), this.authCache.rbacRoleBindings(new RoleBindingFilter(kafkaPrincipal, "Reader", (Scope) null, new ResourcePatternFilter(resourceType, (String) null, PatternType.MATCH))));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding3}), this.authCache.rbacRoleBindings(new RoleBindingFilter(kafkaPrincipal, "Reader", (Scope) null, new ResourcePatternFilter(resourceType, "financeTopicA", PatternType.MATCH))));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding4, roleBinding}), this.authCache.rbacRoleBindings(new RoleBindingFilter(kafkaPrincipal, (String) null, (Scope) null, new ResourcePatternFilter((ResourceType) null, "financeTopic", PatternType.MATCH))));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding4, roleBinding}), this.authCache.rbacRoleBindings(new RoleBindingFilter((KafkaPrincipal) null, (String) null, (Scope) null, new ResourcePatternFilter((ResourceType) null, "financeTopic", PatternType.MATCH))));
    }

    @Test
    public void testGetRolesBindingsForPrincipal() throws Exception {
        Scope kafkaClusterScope = Scope.kafkaClusterScope("clusterA");
        Scope kafkaClusterScope2 = Scope.kafkaClusterScope("clusterB");
        Scope kafkaClusterScope3 = Scope.kafkaClusterScope("clusterC");
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", "Alice");
        KafkaPrincipal kafkaPrincipal2 = new KafkaPrincipal("User", "Bob");
        RoleBinding roleBinding = new RoleBinding(kafkaPrincipal, "ClusterAdmin", kafkaClusterScope, Collections.emptyList());
        RoleBinding roleBinding2 = new RoleBinding(kafkaPrincipal, "ClusterAdmin", kafkaClusterScope2, Collections.emptyList());
        RoleBinding roleBinding3 = new RoleBinding(kafkaPrincipal2, "ClusterAdmin", kafkaClusterScope, Collections.emptyList());
        RoleBinding roleBinding4 = new RoleBinding(kafkaPrincipal2, "ClusterAdmin", kafkaClusterScope3, Collections.emptyList());
        updateRoleBinding(kafkaPrincipal, "ClusterAdmin", kafkaClusterScope);
        updateRoleBinding(kafkaPrincipal2, "ClusterAdmin", kafkaClusterScope);
        updateRoleBinding(kafkaPrincipal, "ClusterAdmin", kafkaClusterScope2);
        updateRoleBinding(kafkaPrincipal2, "ClusterAdmin", kafkaClusterScope3);
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding, roleBinding2}), this.authCache.rbacRoleBindings(kafkaPrincipal));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding3, roleBinding4}), this.authCache.rbacRoleBindings(kafkaPrincipal2));
    }

    @Test
    public void testGetRolesBindingsForPrincipalAndScope() throws Exception {
        Scope kafkaClusterScope = Scope.kafkaClusterScope("clusterA");
        Scope kafkaClusterScope2 = Scope.kafkaClusterScope("clusterB");
        Scope kafkaClusterScope3 = Scope.kafkaClusterScope("clusterC");
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", "Alice");
        KafkaPrincipal kafkaPrincipal2 = new KafkaPrincipal("User", "Bob");
        RoleBinding roleBinding = new RoleBinding(kafkaPrincipal, "ClusterAdmin", kafkaClusterScope, Collections.emptyList());
        RoleBinding roleBinding2 = new RoleBinding(kafkaPrincipal2, "ClusterAdmin", kafkaClusterScope3, Collections.emptyList());
        updateRoleBinding(kafkaPrincipal, "ClusterAdmin", kafkaClusterScope);
        updateRoleBinding(kafkaPrincipal2, "ClusterAdmin", kafkaClusterScope);
        updateRoleBinding(kafkaPrincipal, "ClusterAdmin", kafkaClusterScope2);
        updateRoleBinding(kafkaPrincipal2, "ClusterAdmin", kafkaClusterScope3);
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding}), this.authCache.rbacRoleBindings(kafkaPrincipal, Collections.singleton(kafkaClusterScope)));
        AssertJUnit.assertEquals(Utils.mkSet(new RoleBinding[]{roleBinding2}), this.authCache.rbacRoleBindings(kafkaPrincipal2, Collections.singleton(kafkaClusterScope3)));
        AssertJUnit.assertTrue(this.authCache.rbacRoleBindings(kafkaPrincipal, Collections.singleton(Scope.kafkaClusterScope("clusterX"))).isEmpty());
    }

    @Test
    public void testKnownScopes() throws Exception {
        Scope kafkaClusterScope = Scope.kafkaClusterScope("clusterA");
        Scope kafkaClusterScope2 = Scope.kafkaClusterScope("clusterB");
        Scope kafkaClusterScope3 = Scope.kafkaClusterScope("clusterC");
        Scope kafkaClusterScope4 = Scope.kafkaClusterScope("clusterD");
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", "Alice");
        KafkaPrincipal kafkaPrincipal2 = new KafkaPrincipal("User", "Bob");
        updateRoleBinding(kafkaPrincipal, "ClusterAdmin", kafkaClusterScope);
        updateRoleBinding(kafkaPrincipal2, "ClusterAdmin", kafkaClusterScope);
        updateRoleBinding(kafkaPrincipal, "ClusterAdmin", kafkaClusterScope2);
        updateRoleBinding(kafkaPrincipal2, "ClusterAdmin", kafkaClusterScope3);
        updateRoleBinding(kafkaPrincipal2, "ClusterAdmin", kafkaClusterScope4);
        deleteRoleBinding(kafkaPrincipal2, "ClusterAdmin", kafkaClusterScope4);
        AssertJUnit.assertEquals(Utils.mkSet(new Scope[]{kafkaClusterScope, kafkaClusterScope2, kafkaClusterScope3, kafkaClusterScope4}), this.authCache.knownScopes());
    }

    @Test
    public void testHealthCheckFailure() throws Exception {
        RbacRoles load = RbacRoles.load(getClass().getClassLoader(), "test_rbac_roles.json");
        RbacOrmService rbacOrmService = (RbacOrmService) Mockito.mock(RbacOrmService.class);
        ((RbacOrmService) Mockito.doThrow(new Throwable[]{new RuntimeException("DB connection failed")}).when(rbacOrmService)).healthcheck();
        this.authCache = new DbAuthCache(load, Scope.ROOT_SCOPE, new DbAuthStoreConfig(DbAuthStoreDummyConfig.getConfig()), rbacOrmService, new Metrics());
        AuthCache.Result healthcheck = this.authCache.healthcheck();
        AssertJUnit.assertFalse("Healhcheck is not failed", healthcheck.isHealthy());
        AssertJUnit.assertEquals("DB connection failed", healthcheck.getMessage());
    }

    private void updateRoleBinding(KafkaPrincipal kafkaPrincipal, String str, Scope scope) throws InterruptedException, ExecutionException, TimeoutException {
        this.dbAuthWriter.addClusterRoleBinding(kafkaPrincipal, str, scope).toCompletableFuture().get(1L, TimeUnit.SECONDS);
    }

    private void updateResourceRoleBinding(KafkaPrincipal kafkaPrincipal, String str, Scope scope, Set<ResourcePattern> set) throws InterruptedException, ExecutionException, TimeoutException {
        this.dbAuthWriter.addResourceRoleBinding(kafkaPrincipal, str, scope, set).toCompletableFuture().get(1L, TimeUnit.SECONDS);
    }

    private void deleteRoleBinding(KafkaPrincipal kafkaPrincipal, String str, Scope scope) throws InterruptedException, ExecutionException, TimeoutException {
        this.dbAuthWriter.removeRoleBinding(kafkaPrincipal, str, scope).toCompletableFuture().get(1L, TimeUnit.SECONDS);
    }

    private void verifyPermissions(KafkaPrincipal kafkaPrincipal, ResourcePattern resourcePattern, String... strArr) {
        verifyPermissions(this.clusterA, kafkaPrincipal, resourcePattern, strArr);
    }

    private void verifyPermissions(Scope scope, KafkaPrincipal kafkaPrincipal, ResourcePattern resourcePattern, String... strArr) {
        RbacTestUtils.verifyPermissions(this.authCache, kafkaPrincipal, Collections.emptySet(), scope, resourcePattern, strArr);
    }
}
