package io.confluent.kafka.schemaregistry.filter;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.util.concurrent.Futures;
import io.confluent.kafka.schemaregistry.util.ByteConsumerPool;
import io.confluent.kafka.schemaregistry.util.ByteProducerPool;
import io.confluent.kafka.schemaregistry.util.MaprFSUtils;
import io.confluent.kafka.schemaregistry.utils.UserGroupInformationMockPolicy;
import java.io.IOException;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ExecutionException;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.Response;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.kafka.clients.consumer.ConsumerRecord;
import org.apache.kafka.clients.consumer.ConsumerRecords;
import org.apache.kafka.clients.producer.ProducerRecord;
import org.apache.kafka.clients.producer.RecordMetadata;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.TopicPartition;
import org.easymock.Capture;
import org.easymock.EasyMock;
import org.easymock.EasyMockSupport;
import org.glassfish.jersey.server.ContainerRequest;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.powermock.core.classloader.annotations.MockPolicy;
import org.powermock.core.classloader.annotations.PrepareOnlyThisForTest;
import org.powermock.modules.junit4.PowerMockRunner;

@PrepareOnlyThisForTest({MaprFSUtils.class})
@RunWith(PowerMockRunner.class)
@MockPolicy({UserGroupInformationMockPolicy.class})
/* loaded from: input_file:io/confluent/kafka/schemaregistry/filter/AuthorizationFilterTest.class */
public class AuthorizationFilterTest extends EasyMockSupport {
    private static final String AUXILIARY_TOPIC = "/any-internal-topic:aux-topic";
    private static final String IMPERSONATED_USER = "user";
    private static final String ADMIN_USER = System.getProperty("user.name");
    private ByteConsumerPool byteConsumerPool;
    private ByteProducerPool byteProducerPool;
    private AuthorizationFilter authorizationFilter;

    @Before
    public void setUp() {
        this.byteConsumerPool = (ByteConsumerPool) mock(ByteConsumerPool.class);
        this.byteProducerPool = (ByteProducerPool) mock(ByteProducerPool.class);
        this.authorizationFilter = new AuthorizationFilter(this.byteConsumerPool, this.byteProducerPool, AUXILIARY_TOPIC);
    }

    @Test
    public void dummyRecordIsSent() {
        expectUserSendsRecordToAuxiliaryTopicSucceeds(ADMIN_USER);
        replayAll();
        this.authorizationFilter.initialize();
        verifyAll();
    }

    @Test
    public void handlesFutureExecutionExceptionOnInitialization() {
        RuntimeException runtimeException = new RuntimeException();
        EasyMock.expect(this.byteProducerPool.send(new ProducerRecord(AUXILIARY_TOPIC, (byte[]) EasyMock.anyObject(byte[].class)))).andReturn(Futures.immediateFailedFuture(runtimeException));
        replayAll();
        try {
            this.authorizationFilter.initialize();
            Assert.fail("No exception was thrown");
        } catch (KafkaException e) {
            Assert.assertThat(e.getCause(), CoreMatchers.instanceOf(ExecutionException.class));
            Assert.assertThat(e.getCause().getCause(), CoreMatchers.is(runtimeException));
        }
        verifyAll();
    }

    @Test
    public void unauthenticatedRequestIsForbidden() {
        ContainerRequest containerRequest = (ContainerRequest) mock(ContainerRequest.class);
        EasyMock.expect(containerRequest.getHeaderString("Authorization")).andStubReturn((Object) null);
        EasyMock.expect(containerRequest.getCookies()).andStubReturn(ImmutableMap.of());
        Capture newInstance = Capture.newInstance();
        expectAbortWith(containerRequest, (Response) EasyMock.capture(newInstance));
        replayAll();
        this.authorizationFilter.filter(containerRequest);
        verifyAll();
        Assert.assertThat(((Response) newInstance.getValue()).getStatusInfo().toEnum(), CoreMatchers.is(Response.Status.FORBIDDEN));
    }

    @Test
    public void authenticatedRequestSucceeds() {
        ContainerRequest createAuthenticatedRequest = createAuthenticatedRequest();
        this.authorizationFilter.resourceInfo = AuthorizationTestResource.resourceInfo(Permission.READ);
        expectUserPollsRecordsToAuxiliaryTopicSucceeds(IMPERSONATED_USER);
        replayAll();
        this.authorizationFilter.filter(createAuthenticatedRequest);
        verifyAll();
    }

    @Test
    public void writeCommandIsForbiddenWithoutWritePermission() {
        ContainerRequest createAuthenticatedRequest = createAuthenticatedRequest();
        this.authorizationFilter.resourceInfo = AuthorizationTestResource.resourceInfo(Permission.MODIFY);
        Capture newInstance = Capture.newInstance();
        expectAbortWith(createAuthenticatedRequest, (Response) EasyMock.capture(newInstance));
        expectUserSendsRecordToAuxiliaryTopicFails(IMPERSONATED_USER);
        replayAll();
        this.authorizationFilter.filter(createAuthenticatedRequest);
        verifyAll();
        Assert.assertThat(((Response) newInstance.getValue()).getStatusInfo().toEnum(), CoreMatchers.is(Response.Status.FORBIDDEN));
        Assert.assertThat(((Response) newInstance.getValue()).getEntity().toString(), CoreMatchers.containsString("denied"));
    }

    @Test
    public void writeCommandSucceedsWithWritePermission() {
        ContainerRequest createAuthenticatedRequest = createAuthenticatedRequest();
        this.authorizationFilter.resourceInfo = AuthorizationTestResource.resourceInfo(Permission.MODIFY);
        expectUserSendsRecordToAuxiliaryTopicSucceeds(IMPERSONATED_USER);
        replayAll();
        this.authorizationFilter.filter(createAuthenticatedRequest);
        verifyAll();
    }

    @Test
    public void readCommandIsForbiddenWithoutReadPermission() {
        ContainerRequest createAuthenticatedRequest = createAuthenticatedRequest();
        this.authorizationFilter.resourceInfo = AuthorizationTestResource.resourceInfo(Permission.READ);
        Capture newInstance = Capture.newInstance();
        expectAbortWith(createAuthenticatedRequest, (Response) EasyMock.capture(newInstance));
        expectUserPollsRecordsToAuxiliaryTopicFails(IMPERSONATED_USER);
        replayAll();
        this.authorizationFilter.filter(createAuthenticatedRequest);
        verifyAll();
        Assert.assertThat(((Response) newInstance.getValue()).getStatusInfo().toEnum(), CoreMatchers.is(Response.Status.FORBIDDEN));
        Assert.assertThat(((Response) newInstance.getValue()).getEntity().toString(), CoreMatchers.containsString("denied"));
    }

    @Test
    public void readCommandSucceedsWithReadPermission() {
        ContainerRequest createAuthenticatedRequest = createAuthenticatedRequest();
        this.authorizationFilter.resourceInfo = AuthorizationTestResource.resourceInfo(Permission.READ);
        expectUserPollsRecordsToAuxiliaryTopicSucceeds(IMPERSONATED_USER);
        replayAll();
        this.authorizationFilter.filter(createAuthenticatedRequest);
        verifyAll();
    }

    @Test
    public void readCommandIsForbiddenOnEmptyRecordsWithReadPermission() {
        ContainerRequest createAuthenticatedRequest = createAuthenticatedRequest();
        this.authorizationFilter.resourceInfo = AuthorizationTestResource.resourceInfo(Permission.READ);
        Capture newInstance = Capture.newInstance();
        expectAbortWith(createAuthenticatedRequest, (Response) EasyMock.capture(newInstance));
        EasyMock.expect(this.byteConsumerPool.poll(AUXILIARY_TOPIC)).andAnswer(() -> {
            assertUserIs(IMPERSONATED_USER);
            return new ConsumerRecords(ImmutableMap.of());
        });
        replayAll();
        this.authorizationFilter.filter(createAuthenticatedRequest);
        verifyAll();
        Assert.assertThat(((Response) newInstance.getValue()).getStatusInfo().toEnum(), CoreMatchers.is(Response.Status.FORBIDDEN));
        Assert.assertThat(((Response) newInstance.getValue()).getEntity().toString(), CoreMatchers.containsString("denied"));
    }

    @Test
    public void otherCommandsSucceedWithoutAnyPermissions() {
        ContainerRequest createAuthenticatedRequest = createAuthenticatedRequest();
        this.authorizationFilter.resourceInfo = AuthorizationTestResource.resourceInfo(Permission.NONE);
        replayAll();
        this.authorizationFilter.filter(createAuthenticatedRequest);
        verifyAll();
    }

    private ContainerRequest createAuthenticatedRequest() {
        ContainerRequest containerRequest = (ContainerRequest) mock(ContainerRequest.class);
        EasyMock.expect(containerRequest.getHeaderString("Authorization")).andStubReturn("Basic dXNlcjp1c2Vy");
        EasyMock.expect(containerRequest.getCookies()).andStubReturn(ImmutableMap.of("hadoop.auth", new Cookie("hadoop.auth", "hadoop.auth=smt&u=user")));
        return containerRequest;
    }

    private void expectAbortWith(ContainerRequest containerRequest, Response response) {
        containerRequest.abortWith(response);
        EasyMock.expectLastCall().once();
    }

    private void expectUserSendsRecordToAuxiliaryTopicSucceeds(String str) {
        EasyMock.expect(this.byteProducerPool.send(new ProducerRecord(AUXILIARY_TOPIC, (byte[]) EasyMock.anyObject(byte[].class)))).andAnswer(() -> {
            assertUserIs(str);
            return CompletableFuture.completedFuture(new RecordMetadata(new TopicPartition(AUXILIARY_TOPIC, 1), 0L, 0, -1L, -1, -1));
        });
    }

    private void expectUserSendsRecordToAuxiliaryTopicFails(String str) {
        EasyMock.expect(this.byteProducerPool.send(new ProducerRecord(AUXILIARY_TOPIC, (byte[]) EasyMock.anyObject(byte[].class)))).andAnswer(() -> {
            assertUserIs(str);
            return CompletableFuture.supplyAsync(() -> {
                throw new RuntimeException();
            });
        });
    }

    private void expectUserPollsRecordsToAuxiliaryTopicSucceeds(String str) {
        EasyMock.expect(this.byteConsumerPool.poll(AUXILIARY_TOPIC)).andAnswer(() -> {
            assertUserIs(str);
            return new ConsumerRecords(ImmutableMap.of(new TopicPartition("topic", 0), ImmutableList.of(new ConsumerRecord("topic", 0, 0L, "key".getBytes(), "value".getBytes()))));
        });
    }

    private void expectUserPollsRecordsToAuxiliaryTopicFails(String str) {
        EasyMock.expect(this.byteConsumerPool.poll(AUXILIARY_TOPIC)).andAnswer(() -> {
            assertUserIs(str);
            throw new ExecutionException(new RuntimeException());
        });
    }

    private void assertUserIs(String str) throws IOException {
        String userName = UserGroupInformation.getCurrentUser().getUserName();
        Assert.assertEquals(String.format("Expected user is %s while actual is %s", str, userName), str, userName);
    }
}
