package io.confluent.kafka.security.authorizer.acl;

import io.confluent.kafka.multitenant.integration.test.FileBasedPlainSaslAuthHostNameValidationIntegrationTest;
import io.confluent.security.authorizer.AccessRule;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.AuthorizeRule;
import java.util.Collections;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.acl.AclPermissionType;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.Utils;
import org.apache.kafka.metadata.authorizer.StandardAcl;
import org.apache.kafka.metadata.authorizer.StandardAuthorizer;
import org.apache.kafka.metadata.authorizer.StandardAuthorizerData;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;

/* loaded from: input_file:io/confluent/kafka/security/authorizer/acl/StandardAclProviderTest.class */
class StandardAclProviderTest {
    StandardAclProviderTest() {
    }

    @Test
    public void testFindRuleAllowAcl() {
        StandardAuthorizer standardAuthorizer = (StandardAuthorizer) Mockito.mock(StandardAuthorizer.class);
        StandardAclProvider standardAclProvider = new StandardAclProvider(standardAuthorizer);
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "grover");
        Action action = new Action(Scope.ROOT_SCOPE, AclMapper.resourceType(ResourceType.TOPIC), "foo", AclMapper.operation(AclOperation.READ));
        Mockito.when(standardAuthorizer.findRule(Utils.mkSet(kafkaPrincipal, AccessRule.WILDCARD_USER_PRINCIPAL), FileBasedPlainSaslAuthHostNameValidationIntegrationTest.LOCAL_HOST_IP, new org.apache.kafka.server.authorizer.Action(AclOperation.READ, new ResourcePattern(ResourceType.TOPIC, "foo", PatternType.LITERAL), 1, true, true))).thenReturn(new StandardAuthorizerData.MatchingAclRule(new StandardAcl(ResourceType.TOPIC, "foo", PatternType.LITERAL, AccessRule.WILDCARD_USER_PRINCIPAL.toString(), "*", AclOperation.READ, AclPermissionType.ALLOW), AuthorizationResult.ALLOWED));
        AuthorizeRule findRule = standardAclProvider.findRule(kafkaPrincipal, Collections.emptySet(), FileBasedPlainSaslAuthHostNameValidationIntegrationTest.LOCAL_HOST_IP, action);
        Assertions.assertFalse(findRule.deny());
        Assertions.assertTrue(findRule.allowRule().isPresent());
    }

    @Test
    public void testFindRuleDenyAcl() {
        StandardAuthorizer standardAuthorizer = (StandardAuthorizer) Mockito.mock(StandardAuthorizer.class);
        StandardAclProvider standardAclProvider = new StandardAclProvider(standardAuthorizer);
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "grover");
        Action action = new Action(Scope.ROOT_SCOPE, AclMapper.resourceType(ResourceType.TOPIC), "foo", AclMapper.operation(AclOperation.READ));
        Mockito.when(standardAuthorizer.findRule(Utils.mkSet(kafkaPrincipal, AccessRule.WILDCARD_USER_PRINCIPAL), FileBasedPlainSaslAuthHostNameValidationIntegrationTest.LOCAL_HOST_IP, new org.apache.kafka.server.authorizer.Action(AclOperation.READ, new ResourcePattern(ResourceType.TOPIC, "foo", PatternType.LITERAL), 1, true, true))).thenReturn(new StandardAuthorizerData.MatchingAclRule(new StandardAcl(ResourceType.TOPIC, "foo", PatternType.LITERAL, AccessRule.WILDCARD_USER_PRINCIPAL.toString(), "*", AclOperation.READ, AclPermissionType.DENY), AuthorizationResult.DENIED));
        Assertions.assertTrue(standardAclProvider.findRule(kafkaPrincipal, Collections.emptySet(), FileBasedPlainSaslAuthHostNameValidationIntegrationTest.LOCAL_HOST_IP, action).deny());
    }

    @Test
    public void testFindRuleNoAclRule() {
        StandardAuthorizer standardAuthorizer = (StandardAuthorizer) Mockito.mock(StandardAuthorizer.class);
        StandardAclProvider standardAclProvider = new StandardAclProvider(standardAuthorizer);
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "grover");
        Action action = new Action(Scope.ROOT_SCOPE, AclMapper.resourceType(ResourceType.TOPIC), "foo", AclMapper.operation(AclOperation.READ));
        Mockito.when(standardAuthorizer.findRule(Utils.mkSet(kafkaPrincipal, AccessRule.WILDCARD_USER_PRINCIPAL), FileBasedPlainSaslAuthHostNameValidationIntegrationTest.LOCAL_HOST_IP, new org.apache.kafka.server.authorizer.Action(AclOperation.READ, new ResourcePattern(ResourceType.TOPIC, "foo", PatternType.LITERAL), 1, true, true))).thenReturn(new StandardAuthorizerData.DefaultRule(AuthorizationResult.ALLOWED));
        AuthorizeRule findRule = standardAclProvider.findRule(kafkaPrincipal, Collections.emptySet(), FileBasedPlainSaslAuthHostNameValidationIntegrationTest.LOCAL_HOST_IP, action);
        Assertions.assertFalse(findRule.deny());
        Assertions.assertFalse(findRule.allowRule().isPresent());
        Assertions.assertTrue(findRule.noResourceAcls());
    }

    @Test
    public void testFindRuleDefaultDeny() {
        StandardAuthorizer standardAuthorizer = (StandardAuthorizer) Mockito.mock(StandardAuthorizer.class);
        StandardAclProvider standardAclProvider = new StandardAclProvider(standardAuthorizer);
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "grover");
        Action action = new Action(Scope.ROOT_SCOPE, AclMapper.resourceType(ResourceType.TOPIC), "foo", AclMapper.operation(AclOperation.READ));
        Mockito.when(standardAuthorizer.findRule(Utils.mkSet(kafkaPrincipal, AccessRule.WILDCARD_USER_PRINCIPAL), FileBasedPlainSaslAuthHostNameValidationIntegrationTest.LOCAL_HOST_IP, new org.apache.kafka.server.authorizer.Action(AclOperation.READ, new ResourcePattern(ResourceType.TOPIC, "foo", PatternType.LITERAL), 1, true, true))).thenReturn(new StandardAuthorizerData.DefaultRule(AuthorizationResult.DENIED));
        AuthorizeRule findRule = standardAclProvider.findRule(kafkaPrincipal, Collections.emptySet(), FileBasedPlainSaslAuthHostNameValidationIntegrationTest.LOCAL_HOST_IP, action);
        Assertions.assertFalse(findRule.deny());
        Assertions.assertFalse(findRule.allowRule().isPresent());
        Assertions.assertFalse(findRule.noResourceAcls());
    }
}
