package org.apache.kafka.metadata.authorizer;

import java.io.PrintStream;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Random;
import java.util.Set;
import java.util.function.Predicate;
import net.jqwik.api.Assume;
import net.jqwik.api.ForAll;
import net.jqwik.api.Property;
import net.jqwik.api.constraints.AlphaChars;
import net.jqwik.api.constraints.Chars;
import net.jqwik.api.constraints.NumericChars;
import net.jqwik.api.constraints.Size;
import org.apache.kafka.common.Uuid;
import org.apache.kafka.common.acl.AccessControlEntryFilter;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.acl.AclPermissionType;
import org.apache.kafka.common.internals.Topic;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.common.resource.ResourcePatternFilter;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.metadata.authorizer.MockAuthorizableRequestContext;
import org.apache.kafka.metadata.authorizer.StandardAuthorizerTest;
import org.apache.kafka.server.authorizer.Action;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.junit.jupiter.api.Assertions;

/* loaded from: input_file:org/apache/kafka/metadata/authorizer/StandardAuthorizerPropertyTest.class */
public class StandardAuthorizerPropertyTest {

    @Target({ElementType.ANNOTATION_TYPE, ElementType.PARAMETER, ElementType.TYPE_USE})
    @Retention(RetentionPolicy.RUNTIME)
    @AlphaChars
    @NumericChars
    @Chars({'_', '-', '.'})
    /* loaded from: input_file:org/apache/kafka/metadata/authorizer/StandardAuthorizerPropertyTest$ValidTopicChars.class */
    public @interface ValidTopicChars {
    }

    @Property(tries = 5000)
    public void matchingPrefixDenyOverridesAllAllowRules(@ForAll Random random, @ForAll @ValidTopicChars String str, @ForAll @Size(max = 10) Set<String> set) throws Exception {
        Assume.that(Topic.isValid(str));
        StandardAuthorizer buildAuthorizer = buildAuthorizer();
        buildAuthorizer.addAcl(Uuid.randomUuid(), buildTopicWriteAcl(str.substring(0, random.nextInt(str.length())), PatternType.PREFIXED, AclPermissionType.DENY));
        addRandomPrefixAllowAcls(buildAuthorizer, str, set);
        assertAuthorizationResult(buildAuthorizer, AuthorizationResult.DENIED, AclOperation.WRITE, new ResourcePattern(ResourceType.TOPIC, str, PatternType.LITERAL));
    }

    @Property(tries = 5000)
    public void matchingLiteralDenyOverridesAllAllowRules(@ForAll @ValidTopicChars String str, @ForAll @Size(max = 10) Set<String> set) throws Exception {
        Assume.that(Topic.isValid(str));
        StandardAuthorizer buildAuthorizer = buildAuthorizer();
        buildAuthorizer.addAcl(Uuid.randomUuid(), buildTopicWriteAcl(str, PatternType.LITERAL, AclPermissionType.DENY));
        addRandomPrefixAllowAcls(buildAuthorizer, str, set);
        assertAuthorizationResult(buildAuthorizer, AuthorizationResult.DENIED, AclOperation.WRITE, new ResourcePattern(ResourceType.TOPIC, str, PatternType.LITERAL));
    }

    @Property(tries = 5000)
    public void matchingPrefixAllowWithNoMatchingDenyRules(@ForAll Random random, @ForAll @ValidTopicChars String str, @ForAll @Size(max = 10) Set<String> set) throws Exception {
        Assume.that(Topic.isValid(str));
        StandardAuthorizer buildAuthorizer = buildAuthorizer();
        buildAuthorizer.addAcl(Uuid.randomUuid(), buildTopicWriteAcl(str.substring(0, random.nextInt(str.length())), PatternType.PREFIXED, AclPermissionType.ALLOW));
        addRandomNonMatchingPrefixDenyAcls(buildAuthorizer, str, set);
        assertAuthorizationResult(buildAuthorizer, AuthorizationResult.ALLOWED, AclOperation.WRITE, new ResourcePattern(ResourceType.TOPIC, str, PatternType.LITERAL));
    }

    @Property(tries = 5000)
    public void matchingLiteralAllowWithNoMatchingDenyRules(@ForAll @ValidTopicChars String str, @ForAll @Size(max = 10) Set<String> set) throws Exception {
        Assume.that(Topic.isValid(str));
        StandardAuthorizer buildAuthorizer = buildAuthorizer();
        buildAuthorizer.addAcl(Uuid.randomUuid(), buildTopicWriteAcl(str, PatternType.LITERAL, AclPermissionType.ALLOW));
        addRandomNonMatchingPrefixDenyAcls(buildAuthorizer, str, set);
        assertAuthorizationResult(buildAuthorizer, AuthorizationResult.ALLOWED, AclOperation.WRITE, new ResourcePattern(ResourceType.TOPIC, str, PatternType.LITERAL));
    }

    private StandardAuthorizer buildAuthorizer() {
        StandardAuthorizer standardAuthorizer = new StandardAuthorizer();
        standardAuthorizer.start(new StandardAuthorizerTest.AuthorizerTestServerInfo(Collections.singletonList(StandardAuthorizerTest.PLAINTEXT)));
        standardAuthorizer.completeInitialLoad();
        return standardAuthorizer;
    }

    private void assertAuthorizationResult(StandardAuthorizer standardAuthorizer, AuthorizationResult authorizationResult, AclOperation aclOperation, ResourcePattern resourcePattern) throws Exception {
        List authorize = standardAuthorizer.authorize(newRequestContext(), Collections.singletonList(new Action(aclOperation, resourcePattern, 1, false, false)));
        Assertions.assertEquals(1, authorize.size());
        AuthorizationResult authorizationResult2 = (AuthorizationResult) authorize.get(0);
        try {
            Assertions.assertEquals(authorizationResult, authorizationResult2);
        } catch (Throwable th) {
            printCounterExample(standardAuthorizer, aclOperation, resourcePattern, authorizationResult2);
            throw th;
        }
    }

    private void printCounterExample(StandardAuthorizer standardAuthorizer, AclOperation aclOperation, ResourcePattern resourcePattern, AuthorizationResult authorizationResult) {
        System.out.println("Assertion FAILED: Operation " + aclOperation + " on " + resourcePattern + " is " + authorizationResult + ". Current ACLS:");
        Iterable acls = standardAuthorizer.acls(new AclBindingFilter(new ResourcePatternFilter(ResourceType.ANY, (String) null, PatternType.ANY), new AccessControlEntryFilter((String) null, (String) null, AclOperation.ANY, AclPermissionType.ANY)));
        PrintStream printStream = System.out;
        Objects.requireNonNull(printStream);
        acls.forEach((v1) -> {
            r1.println(v1);
        });
    }

    private static AuthorizableRequestContext newRequestContext() throws Exception {
        return new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", "user")).build();
    }

    private static StandardAcl buildTopicWriteAcl(String str, PatternType patternType, AclPermissionType aclPermissionType) {
        return new StandardAcl(ResourceType.TOPIC, str, patternType, "User:*", "*", AclOperation.WRITE, aclPermissionType);
    }

    private boolean isPrefix(String str, String str2) {
        if (str2.length() > str.length()) {
            return false;
        }
        return str.substring(0, str2.length()).equals(str2);
    }

    private void addRandomNonMatchingPrefixDenyAcls(StandardAuthorizer standardAuthorizer, String str, Set<String> set) {
        addRandomPrefixRules(standardAuthorizer, str, set, AclPermissionType.DENY, str2 -> {
            return (str2.isEmpty() || isPrefix(str, str2)) ? false : true;
        });
    }

    private void addRandomPrefixAllowAcls(StandardAuthorizer standardAuthorizer, String str, Set<String> set) {
        addRandomPrefixRules(standardAuthorizer, str, set, AclPermissionType.ALLOW, str2 -> {
            return !str2.isEmpty();
        });
    }

    private void addRandomPrefixRules(StandardAuthorizer standardAuthorizer, String str, Set<String> set, AclPermissionType aclPermissionType, Predicate<String> predicate) {
        HashSet hashSet = new HashSet();
        for (int i = 0; i < str.length(); i++) {
            String substring = str.substring(0, i);
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                String str2 = substring + it.next();
                if (predicate.test(str2)) {
                    hashSet.add(str2);
                }
            }
        }
        Iterator it2 = hashSet.iterator();
        while (it2.hasNext()) {
            standardAuthorizer.addAcl(Uuid.randomUuid(), buildTopicWriteAcl((String) it2.next(), PatternType.PREFIXED, aclPermissionType));
        }
    }
}
