package org.apache.kafka.metadata.authorizer;

import java.net.InetAddress;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.atomic.AtomicLong;
import org.apache.kafka.common.Uuid;
import org.apache.kafka.common.acl.AccessControlEntryFilter;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.acl.AclPermissionType;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.common.resource.ResourcePatternFilter;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.metadata.authorizer.MockAuthorizableRequestContext;
import org.apache.kafka.server.authorizer.Action;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.Timeout;

@Timeout(40)
/* loaded from: input_file:org/apache/kafka/metadata/authorizer/StandardAuthorizerTest.class */
public class StandardAuthorizerTest {
    private static final AtomicLong NEXT_ID = new AtomicLong(0);

    @Test
    public void testGetConfiguredSuperUsers() {
        Assertions.assertEquals(Collections.emptySet(), StandardAuthorizer.getConfiguredSuperUsers(Collections.emptyMap()));
        Assertions.assertEquals(Collections.emptySet(), StandardAuthorizer.getConfiguredSuperUsers(Collections.singletonMap("super.users", " ")));
        Assertions.assertEquals(new HashSet(Arrays.asList("User:bob", "User:alice")), StandardAuthorizer.getConfiguredSuperUsers(Collections.singletonMap("super.users", "User:bob;User:alice ")));
        Assertions.assertEquals(new HashSet(Arrays.asList("User:bob", "User:alice")), StandardAuthorizer.getConfiguredSuperUsers(Collections.singletonMap("super.users", ";  User:bob  ;  User:alice ")));
        Assertions.assertEquals("expected a string in format principalType:principalName but got bob", ((IllegalArgumentException) Assertions.assertThrows(IllegalArgumentException.class, () -> {
            StandardAuthorizer.getConfiguredSuperUsers(Collections.singletonMap("super.users", "bob;:alice"));
        })).getMessage());
    }

    @Test
    public void testGetDefaultResult() {
        Assertions.assertEquals(AuthorizationResult.DENIED, StandardAuthorizer.getDefaultResult(Collections.emptyMap()));
        Assertions.assertEquals(AuthorizationResult.ALLOWED, StandardAuthorizer.getDefaultResult(Collections.singletonMap("allow.everyone.if.no.acl.found", "true")));
        Assertions.assertEquals(AuthorizationResult.DENIED, StandardAuthorizer.getDefaultResult(Collections.singletonMap("allow.everyone.if.no.acl.found", "false")));
    }

    @Test
    public void testConfigure() {
        StandardAuthorizer standardAuthorizer = new StandardAuthorizer();
        HashMap hashMap = new HashMap();
        hashMap.put("super.users", "User:alice;User:chris");
        hashMap.put("allow.everyone.if.no.acl.found", "true");
        standardAuthorizer.configure(hashMap);
        Assertions.assertEquals(new HashSet(Arrays.asList("User:alice", "User:chris")), standardAuthorizer.superUsers());
        Assertions.assertEquals(AuthorizationResult.ALLOWED, standardAuthorizer.defaultResult());
    }

    static Action newAction(AclOperation aclOperation, ResourceType resourceType, String str) {
        return new Action(aclOperation, new ResourcePattern(resourceType, str, PatternType.LITERAL), 1, false, false);
    }

    static StandardAcl newFooAcl(AclOperation aclOperation, AclPermissionType aclPermissionType) {
        return new StandardAcl(ResourceType.TOPIC, "foo_", PatternType.PREFIXED, "User:bob", "*", aclOperation, aclPermissionType);
    }

    static StandardAclWithId withId(StandardAcl standardAcl) {
        return new StandardAclWithId(new Uuid(standardAcl.hashCode(), standardAcl.hashCode()), standardAcl);
    }

    @Test
    public void testFindResultImplication() throws Exception {
        Iterator it = Arrays.asList(AclOperation.DESCRIBE, AclOperation.READ, AclOperation.WRITE, AclOperation.DELETE, AclOperation.ALTER).iterator();
        while (it.hasNext()) {
            Assertions.assertEquals(AuthorizationResult.ALLOWED, StandardAuthorizerData.findResult(newAction(AclOperation.DESCRIBE, ResourceType.TOPIC, "foo_bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", "bob")).build(), newFooAcl((AclOperation) it.next(), AclPermissionType.ALLOW)));
        }
        Assertions.assertEquals((Object) null, StandardAuthorizerData.findResult(newAction(AclOperation.DESCRIBE, ResourceType.TOPIC, "foo_bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", "bob")).build(), newFooAcl(AclOperation.CREATE, AclPermissionType.ALLOW)));
        Iterator it2 = Arrays.asList(AclOperation.READ, AclOperation.WRITE, AclOperation.DELETE, AclOperation.ALTER).iterator();
        while (it2.hasNext()) {
            Assertions.assertEquals((Object) null, StandardAuthorizerData.findResult(newAction(AclOperation.DESCRIBE, ResourceType.TOPIC, "foo_bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", "bob")).build(), newFooAcl((AclOperation) it2.next(), AclPermissionType.DENY)));
        }
        Assertions.assertEquals(AuthorizationResult.DENIED, StandardAuthorizerData.findResult(newAction(AclOperation.DESCRIBE, ResourceType.TOPIC, "foo_bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", "bob")).build(), newFooAcl(AclOperation.DESCRIBE, AclPermissionType.DENY)));
        Iterator it3 = Arrays.asList(AclOperation.DESCRIBE_CONFIGS, AclOperation.ALTER_CONFIGS).iterator();
        while (it3.hasNext()) {
            Assertions.assertEquals(AuthorizationResult.ALLOWED, StandardAuthorizerData.findResult(newAction(AclOperation.DESCRIBE_CONFIGS, ResourceType.TOPIC, "foo_bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", "bob")).build(), newFooAcl((AclOperation) it3.next(), AclPermissionType.ALLOW)));
        }
        Assertions.assertEquals((Object) null, StandardAuthorizerData.findResult(newAction(AclOperation.DESCRIBE_CONFIGS, ResourceType.TOPIC, "foo_bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", "bob")).build(), newFooAcl(AclOperation.ALTER_CONFIGS, AclPermissionType.DENY)));
        Assertions.assertEquals(AuthorizationResult.DENIED, StandardAuthorizerData.findResult(newAction(AclOperation.ALTER_CONFIGS, ResourceType.TOPIC, "foo_bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", "bob")).build(), newFooAcl(AclOperation.ALTER_CONFIGS, AclPermissionType.DENY)));
    }

    static StandardAcl newBarAcl(AclOperation aclOperation, AclPermissionType aclPermissionType) {
        return new StandardAcl(ResourceType.GROUP, "bar", PatternType.LITERAL, "User:*", "*", aclOperation, aclPermissionType);
    }

    @Test
    public void testFindResultPrincipalMatching() throws Exception {
        Assertions.assertEquals(AuthorizationResult.ALLOWED, StandardAuthorizerData.findResult(newAction(AclOperation.READ, ResourceType.TOPIC, "foo_bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", "bob")).build(), newFooAcl(AclOperation.READ, AclPermissionType.ALLOW)));
        Assertions.assertEquals((Object) null, StandardAuthorizerData.findResult(newAction(AclOperation.READ, ResourceType.TOPIC, "foo_bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", "alice")).build(), newFooAcl(AclOperation.READ, AclPermissionType.ALLOW)));
        Assertions.assertEquals(AuthorizationResult.DENIED, StandardAuthorizerData.findResult(newAction(AclOperation.READ, ResourceType.GROUP, "bar"), new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", "alice")).build(), newBarAcl(AclOperation.READ, AclPermissionType.DENY)));
    }

    private static void assertContains(Iterable<AclBinding> iterable, StandardAcl... standardAclArr) {
        Iterator<AclBinding> it = iterable.iterator();
        int i = 0;
        while (it.hasNext()) {
            AclBinding next = it.next();
            Assertions.assertTrue(i < standardAclArr.length, "Only expected " + i + " element(s)");
            Assertions.assertEquals(standardAclArr[i].toBinding(), next, "Unexpected element " + i);
            i++;
        }
        Assertions.assertFalse(it.hasNext(), "Expected only " + standardAclArr.length + " element(s)");
    }

    @Test
    public void testListAcls() throws Exception {
        StandardAuthorizer standardAuthorizer = new StandardAuthorizer();
        standardAuthorizer.configure(Collections.emptyMap());
        List asList = Arrays.asList(withId(newFooAcl(AclOperation.READ, AclPermissionType.ALLOW)), withId(newFooAcl(AclOperation.WRITE, AclPermissionType.ALLOW)));
        List asList2 = Arrays.asList(withId(newBarAcl(AclOperation.DESCRIBE_CONFIGS, AclPermissionType.DENY)), withId(newBarAcl(AclOperation.ALTER_CONFIGS, AclPermissionType.DENY)));
        asList.forEach(standardAclWithId -> {
            standardAuthorizer.addAcl(standardAclWithId.id(), standardAclWithId.acl());
        });
        asList2.forEach(standardAclWithId2 -> {
            standardAuthorizer.addAcl(standardAclWithId2.id(), standardAclWithId2.acl());
        });
        assertContains(standardAuthorizer.acls(AclBindingFilter.ANY), ((StandardAclWithId) asList.get(0)).acl(), ((StandardAclWithId) asList.get(1)).acl(), ((StandardAclWithId) asList2.get(0)).acl(), ((StandardAclWithId) asList2.get(1)).acl());
        standardAuthorizer.removeAcl(((StandardAclWithId) asList.get(1)).id());
        assertContains(standardAuthorizer.acls(AclBindingFilter.ANY), ((StandardAclWithId) asList.get(0)).acl(), ((StandardAclWithId) asList2.get(0)).acl(), ((StandardAclWithId) asList2.get(1)).acl());
        assertContains(standardAuthorizer.acls(new AclBindingFilter(new ResourcePatternFilter(ResourceType.TOPIC, (String) null, PatternType.ANY), AccessControlEntryFilter.ANY)), ((StandardAclWithId) asList.get(0)).acl());
    }

    @Test
    public void testSimpleAuthorizations() throws Exception {
        StandardAuthorizer standardAuthorizer = new StandardAuthorizer();
        standardAuthorizer.configure(Collections.emptyMap());
        List asList = Arrays.asList(withId(newFooAcl(AclOperation.READ, AclPermissionType.ALLOW)), withId(newFooAcl(AclOperation.WRITE, AclPermissionType.ALLOW)));
        List asList2 = Arrays.asList(withId(newBarAcl(AclOperation.DESCRIBE_CONFIGS, AclPermissionType.ALLOW)), withId(newBarAcl(AclOperation.ALTER_CONFIGS, AclPermissionType.ALLOW)));
        asList.forEach(standardAclWithId -> {
            standardAuthorizer.addAcl(standardAclWithId.id(), standardAclWithId.acl());
        });
        asList2.forEach(standardAclWithId2 -> {
            standardAuthorizer.addAcl(standardAclWithId2.id(), standardAclWithId2.acl());
        });
        Assertions.assertEquals(Collections.singletonList(AuthorizationResult.ALLOWED), standardAuthorizer.authorize(new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", "bob")).build(), Collections.singletonList(newAction(AclOperation.READ, ResourceType.TOPIC, "foo_"))));
        Assertions.assertEquals(Collections.singletonList(AuthorizationResult.ALLOWED), standardAuthorizer.authorize(new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", "fred")).build(), Collections.singletonList(newAction(AclOperation.ALTER_CONFIGS, ResourceType.GROUP, "bar"))));
    }

    @Test
    public void testDenyPrecedenceWithOperationAll() throws Exception {
        StandardAuthorizer standardAuthorizer = new StandardAuthorizer();
        standardAuthorizer.configure(Collections.emptyMap());
        Arrays.asList(new StandardAcl(ResourceType.TOPIC, "foo", PatternType.LITERAL, "User:alice", "*", AclOperation.ALL, AclPermissionType.DENY), new StandardAcl(ResourceType.TOPIC, "foo", PatternType.PREFIXED, "User:alice", "*", AclOperation.READ, AclPermissionType.ALLOW), new StandardAcl(ResourceType.TOPIC, "foo", PatternType.LITERAL, "User:*", "*", AclOperation.ALL, AclPermissionType.DENY), new StandardAcl(ResourceType.TOPIC, "foo", PatternType.PREFIXED, "User:*", "*", AclOperation.DESCRIBE, AclPermissionType.ALLOW)).forEach(standardAcl -> {
            StandardAclWithId withId = withId(standardAcl);
            standardAuthorizer.addAcl(withId.id(), withId.acl());
        });
        Assertions.assertEquals(Arrays.asList(AuthorizationResult.DENIED, AuthorizationResult.DENIED, AuthorizationResult.DENIED, AuthorizationResult.ALLOWED), standardAuthorizer.authorize(newRequestContext("alice"), Arrays.asList(newAction(AclOperation.WRITE, ResourceType.TOPIC, "foo"), newAction(AclOperation.READ, ResourceType.TOPIC, "foo"), newAction(AclOperation.DESCRIBE, ResourceType.TOPIC, "foo"), newAction(AclOperation.READ, ResourceType.TOPIC, "foobar"))));
        Assertions.assertEquals(Arrays.asList(AuthorizationResult.DENIED, AuthorizationResult.DENIED, AuthorizationResult.DENIED, AuthorizationResult.ALLOWED, AuthorizationResult.DENIED), standardAuthorizer.authorize(newRequestContext("bob"), Arrays.asList(newAction(AclOperation.DESCRIBE, ResourceType.TOPIC, "foo"), newAction(AclOperation.READ, ResourceType.TOPIC, "foo"), newAction(AclOperation.WRITE, ResourceType.TOPIC, "foo"), newAction(AclOperation.DESCRIBE, ResourceType.TOPIC, "foobaz"), newAction(AclOperation.READ, ResourceType.TOPIC, "foobaz"))));
    }

    @Test
    public void testTopicAclWithOperationAll() throws Exception {
        StandardAuthorizer standardAuthorizer = new StandardAuthorizer();
        standardAuthorizer.configure(Collections.emptyMap());
        Arrays.asList(new StandardAcl(ResourceType.TOPIC, "foo", PatternType.LITERAL, "User:*", "*", AclOperation.ALL, AclPermissionType.ALLOW), new StandardAcl(ResourceType.TOPIC, "bar", PatternType.PREFIXED, "User:alice", "*", AclOperation.ALL, AclPermissionType.ALLOW), new StandardAcl(ResourceType.TOPIC, "baz", PatternType.LITERAL, "User:bob", "*", AclOperation.ALL, AclPermissionType.ALLOW)).forEach(standardAcl -> {
            StandardAclWithId withId = withId(standardAcl);
            standardAuthorizer.addAcl(withId.id(), withId.acl());
        });
        Assertions.assertEquals(Arrays.asList(AuthorizationResult.ALLOWED, AuthorizationResult.ALLOWED, AuthorizationResult.DENIED), standardAuthorizer.authorize(newRequestContext("alice"), Arrays.asList(newAction(AclOperation.WRITE, ResourceType.TOPIC, "foo"), newAction(AclOperation.DESCRIBE_CONFIGS, ResourceType.TOPIC, "bar"), newAction(AclOperation.DESCRIBE, ResourceType.TOPIC, "baz"))));
        Assertions.assertEquals(Arrays.asList(AuthorizationResult.ALLOWED, AuthorizationResult.DENIED, AuthorizationResult.ALLOWED), standardAuthorizer.authorize(newRequestContext("bob"), Arrays.asList(newAction(AclOperation.WRITE, ResourceType.TOPIC, "foo"), newAction(AclOperation.READ, ResourceType.TOPIC, "bar"), newAction(AclOperation.DESCRIBE, ResourceType.TOPIC, "baz"))));
        Assertions.assertEquals(Arrays.asList(AuthorizationResult.ALLOWED, AuthorizationResult.DENIED, AuthorizationResult.DENIED), standardAuthorizer.authorize(newRequestContext("malory"), Arrays.asList(newAction(AclOperation.DESCRIBE, ResourceType.TOPIC, "foo"), newAction(AclOperation.WRITE, ResourceType.TOPIC, "bar"), newAction(AclOperation.READ, ResourceType.TOPIC, "baz"))));
    }

    private AuthorizableRequestContext newRequestContext(String str) throws Exception {
        return new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", str)).build();
    }

    @Test
    public void testHostAddressAclValidation() throws Exception {
        InetAddress byName = InetAddress.getByName("192.168.1.1");
        InetAddress byName2 = InetAddress.getByName("192.168.1.2");
        StandardAuthorizer standardAuthorizer = new StandardAuthorizer();
        standardAuthorizer.configure(Collections.emptyMap());
        Arrays.asList(new StandardAcl(ResourceType.TOPIC, "foo", PatternType.LITERAL, "User:alice", byName.getHostAddress(), AclOperation.READ, AclPermissionType.DENY), new StandardAcl(ResourceType.TOPIC, "foo", PatternType.LITERAL, "User:alice", "*", AclOperation.READ, AclPermissionType.ALLOW), new StandardAcl(ResourceType.TOPIC, "bar", PatternType.LITERAL, "User:bob", byName2.getHostAddress(), AclOperation.READ, AclPermissionType.ALLOW), new StandardAcl(ResourceType.TOPIC, "bar", PatternType.LITERAL, "User:*", InetAddress.getLocalHost().getHostAddress(), AclOperation.DESCRIBE, AclPermissionType.ALLOW)).forEach(standardAcl -> {
            StandardAclWithId withId = withId(standardAcl);
            standardAuthorizer.addAcl(withId.id(), withId.acl());
        });
        List asList = Arrays.asList(newAction(AclOperation.READ, ResourceType.TOPIC, "foo"), newAction(AclOperation.READ, ResourceType.TOPIC, "bar"), newAction(AclOperation.DESCRIBE, ResourceType.TOPIC, "bar"));
        Assertions.assertEquals(Arrays.asList(AuthorizationResult.ALLOWED, AuthorizationResult.DENIED, AuthorizationResult.ALLOWED), standardAuthorizer.authorize(newRequestContext("alice", InetAddress.getLocalHost()), asList));
        Assertions.assertEquals(Arrays.asList(AuthorizationResult.DENIED, AuthorizationResult.DENIED, AuthorizationResult.DENIED), standardAuthorizer.authorize(newRequestContext("alice", byName), asList));
        Assertions.assertEquals(Arrays.asList(AuthorizationResult.ALLOWED, AuthorizationResult.DENIED, AuthorizationResult.DENIED), standardAuthorizer.authorize(newRequestContext("alice", byName2), asList));
        Assertions.assertEquals(Arrays.asList(AuthorizationResult.DENIED, AuthorizationResult.DENIED, AuthorizationResult.ALLOWED), standardAuthorizer.authorize(newRequestContext("bob", InetAddress.getLocalHost()), asList));
        Assertions.assertEquals(Arrays.asList(AuthorizationResult.DENIED, AuthorizationResult.DENIED, AuthorizationResult.DENIED), standardAuthorizer.authorize(newRequestContext("bob", byName), asList));
        Assertions.assertEquals(Arrays.asList(AuthorizationResult.DENIED, AuthorizationResult.ALLOWED, AuthorizationResult.ALLOWED), standardAuthorizer.authorize(newRequestContext("bob", byName2), asList));
    }

    private AuthorizableRequestContext newRequestContext(String str, InetAddress inetAddress) throws Exception {
        return new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", str)).setClientAddress(inetAddress).build();
    }

    private static StandardAuthorizer createAuthorizerWithManyAcls() {
        StandardAuthorizer standardAuthorizer = new StandardAuthorizer();
        standardAuthorizer.configure(Collections.emptyMap());
        Arrays.asList(new StandardAcl(ResourceType.TOPIC, "green2", PatternType.LITERAL, "User:*", "*", AclOperation.READ, AclPermissionType.ALLOW), new StandardAcl(ResourceType.TOPIC, "green", PatternType.PREFIXED, "User:bob", "*", AclOperation.READ, AclPermissionType.ALLOW), new StandardAcl(ResourceType.TOPIC, "betamax4", PatternType.LITERAL, "User:bob", "*", AclOperation.READ, AclPermissionType.ALLOW), new StandardAcl(ResourceType.TOPIC, "betamax", PatternType.LITERAL, "User:bob", "*", AclOperation.READ, AclPermissionType.ALLOW), new StandardAcl(ResourceType.TOPIC, "beta", PatternType.PREFIXED, "User:*", "*", AclOperation.READ, AclPermissionType.ALLOW), new StandardAcl(ResourceType.TOPIC, "alpha", PatternType.PREFIXED, "User:*", "*", AclOperation.READ, AclPermissionType.ALLOW), new StandardAcl(ResourceType.TOPIC, "alp", PatternType.PREFIXED, "User:bob", "*", AclOperation.READ, AclPermissionType.DENY), new StandardAcl(ResourceType.GROUP, "*", PatternType.LITERAL, "User:bob", "*", AclOperation.WRITE, AclPermissionType.ALLOW), new StandardAcl(ResourceType.GROUP, "wheel", PatternType.LITERAL, "User:*", "*", AclOperation.WRITE, AclPermissionType.DENY)).forEach(standardAcl -> {
            StandardAclWithId withId = withId(standardAcl);
            standardAuthorizer.addAcl(withId.id(), withId.acl());
        });
        return standardAuthorizer;
    }

    @Test
    public void testAuthorizationWithManyAcls() throws Exception {
        StandardAuthorizer createAuthorizerWithManyAcls = createAuthorizerWithManyAcls();
        Assertions.assertEquals(Arrays.asList(AuthorizationResult.ALLOWED, AuthorizationResult.DENIED), createAuthorizerWithManyAcls.authorize(new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", "bob")).build(), Arrays.asList(newAction(AclOperation.READ, ResourceType.TOPIC, "green1"), newAction(AclOperation.WRITE, ResourceType.GROUP, "wheel"))));
        Assertions.assertEquals(Arrays.asList(AuthorizationResult.DENIED, AuthorizationResult.ALLOWED, AuthorizationResult.DENIED), createAuthorizerWithManyAcls.authorize(new MockAuthorizableRequestContext.Builder().setPrincipal(new KafkaPrincipal("User", "bob")).build(), Arrays.asList(newAction(AclOperation.READ, ResourceType.TOPIC, "alpha"), newAction(AclOperation.WRITE, ResourceType.GROUP, "arbitrary"), newAction(AclOperation.READ, ResourceType.TOPIC, "ala"))));
    }
}
