package kafka.security.authorizer;

import java.net.InetAddress;
import java.util.UUID;
import kafka.server.KafkaConfig;
import kafka.zookeeper.ZooKeeperClient;
import org.apache.kafka.common.acl.AccessControlEntry;
import org.apache.kafka.common.acl.AccessControlEntryFilter;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.acl.AclPermissionType;
import org.apache.kafka.common.network.ClientInformation;
import org.apache.kafka.common.network.ListenerName;
import org.apache.kafka.common.protocol.ApiKeys;
import org.apache.kafka.common.requests.RequestContext;
import org.apache.kafka.common.requests.RequestHeader;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.security.authenticator.PathAwareSniHostName;
import org.apache.kafka.server.authorizer.AclCreateResult;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.apache.kafka.server.authorizer.Authorizer;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import scala.Predef$;
import scala.collection.IterableOnceOps;
import scala.collection.immutable.Set;
import scala.jdk.CollectionConverters$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;
import scala.runtime.RichInt$;
import scala.runtime.ScalaRunTime$;

/* compiled from: BaseAuthorizerTest.scala */
@ScalaSignature(bytes = "\u0006\u0005\u0005Mga\u0002\u0010 !\u0003\r\tA\n\u0005\u0006[\u0001!\tA\f\u0005\u0006A\u00011\tA\r\u0005\b\u007f\u0001\u0011\r\u0011\"\u0001A\u0011\u001dI\u0005A1A\u0005\u0002\u0001CqA\u0013\u0001C\u0002\u0013\u0005\u0001\tC\u0004L\u0001\t\u0007I\u0011\u0001'\t\u000fY\u0003!\u0019!C\u0001\u0019\"9q\u000b\u0001b\u0001\n\u0003A\u0006bB0\u0001\u0005\u0004%\t\u0001\u0011\u0005\nA\u0002\u0001\r\u00111A\u0005\u0002\u0005D\u0011b\u001a\u0001A\u0002\u0003\u0007I\u0011\u00015\t\u0013-\u0004\u0001\u0019!a\u0001\n\u0003a\u0007\"C:\u0001\u0001\u0004\u0005\r\u0011\"\u0001u\u0011%1\b\u00011AA\u0002\u0013\u0005q\u000fC\u0005~\u0001\u0001\u0007\t\u0019!C\u0001}\"1\u0011\u0011\u0001\u0001\u0005\u00029Ba!!\u0007\u0001\t\u0003q\u0003BBA\u000f\u0001\u0011\u0005a\u0006\u0003\u0004\u0002\"\u0001!\tA\f\u0005\u0007\u0003K\u0001A\u0011\u0001\u0018\t\r\u0005%\u0002\u0001\"\u0001/\u0011\u0019\ti\u0003\u0001C\u0001]!1\u0011\u0011\u0007\u0001\u0005\u00029Ba!!\u000e\u0001\t\u0003q\u0003bBA\u001d\u0001\u0011\u0005\u00111\b\u0005\n\u0003?\u0002\u0011\u0013!C\u0001\u0003CBq!a\u001e\u0001\t\u0003\tI\bC\u0004\u0002 \u0002!\t!!)\t\u000f\u0005%\u0007\u0001\"\u0001\u0002L\n\u0011\")Y:f\u0003V$\bn\u001c:ju\u0016\u0014H+Z:u\u0015\t\u0001\u0013%\u0001\u0006bkRDwN]5{KJT!AI\u0012\u0002\u0011M,7-\u001e:jifT\u0011\u0001J\u0001\u0006W\u000647.Y\u0002\u0001'\t\u0001q\u0005\u0005\u0002)W5\t\u0011FC\u0001+\u0003\u0015\u00198-\u00197b\u0013\ta\u0013F\u0001\u0004B]f\u0014VMZ\u0001\u0007I%t\u0017\u000e\u001e\u0013\u0015\u0003=\u0002\"\u0001\u000b\u0019\n\u0005EJ#\u0001B+oSR,\u0012a\r\t\u0003iuj\u0011!\u000e\u0006\u0003AYR!a\u000e\u001d\u0002\rM,'O^3s\u0015\t!\u0013H\u0003\u0002;w\u00051\u0011\r]1dQ\u0016T\u0011\u0001P\u0001\u0004_J<\u0017B\u0001 6\u0005)\tU\u000f\u001e5pe&TXM]\u0001\u000bgV\u0004XM]+tKJ\u001cX#A!\u0011\u0005\t;U\"A\"\u000b\u0005\u0011+\u0015\u0001\u00027b]\u001eT\u0011AR\u0001\u0005U\u00064\u0018-\u0003\u0002I\u0007\n11\u000b\u001e:j]\u001e\f\u0001\"^:fe:\fW.Z\u0001\nkN,'O\\1nKJ\n\u0011\u0002\u001d:j]\u000eL\u0007/\u00197\u0016\u00035\u0003\"A\u0014+\u000e\u0003=S!\u0001U)\u0002\t\u0005,H\u000f\u001b\u0006\u0003EIS!a\u0015\u001d\u0002\r\r|W.\\8o\u0013\t)vJ\u0001\bLC\u001a\\\u0017\r\u0015:j]\u000eL\u0007/\u00197\u0002\u0015A\u0014\u0018N\\2ja\u0006d''\u0001\bsKF,Xm\u001d;D_:$X\r\u001f;\u0016\u0003e\u0003\"AW/\u000e\u0003mS!\u0001\u0018*\u0002\u0011I,\u0017/^3tiNL!AX.\u0003\u001dI+\u0017/^3ti\u000e{g\u000e^3yi\u0006i1/\u001e9feV\u001bXM\u001d(b[\u0016\faaY8oM&<W#\u00012\u0011\u0005\r,W\"\u00013\u000b\u0005]\u001a\u0013B\u00014e\u0005-Y\u0015MZ6b\u0007>tg-[4\u0002\u0015\r|gNZ5h?\u0012*\u0017\u000f\u0006\u00020S\"9!nCA\u0001\u0002\u0004\u0011\u0017a\u0001=%c\u0005y!p\\8LK\u0016\u0004XM]\"mS\u0016tG/F\u0001n!\tq\u0017/D\u0001p\u0015\t\u00018%A\u0005{_>\\W-\u001a9fe&\u0011!o\u001c\u0002\u00105>|7*Z3qKJ\u001cE.[3oi\u0006\u0019\"p\\8LK\u0016\u0004XM]\"mS\u0016tGo\u0018\u0013fcR\u0011q&\u001e\u0005\bU6\t\t\u00111\u0001n\u0003!\u0011Xm]8ve\u000e,W#\u0001=\u0011\u0005e\\X\"\u0001>\u000b\u0005Y\u0014\u0016B\u0001?{\u0005=\u0011Vm]8ve\u000e,\u0007+\u0019;uKJt\u0017\u0001\u0004:fg>,(oY3`I\u0015\fHCA\u0018��\u0011\u001dQw\"!AA\u0002a\fq\u0006^3ti\u0006+H\u000f[8sSj,')\u001f*fg>,(oY3UsB,W*\u001e7uSBdW-\u00113e\u0003:$'+Z7pm\u0016D3\u0001EA\u0003!\u0011\t9!!\u0006\u000e\u0005\u0005%!\u0002BA\u0006\u0003\u001b\t1!\u00199j\u0015\u0011\ty!!\u0005\u0002\u000f),\b/\u001b;fe*\u0019\u00111C\u001e\u0002\u000b),h.\u001b;\n\t\u0005]\u0011\u0011\u0002\u0002\u0005)\u0016\u001cH/\u0001\"uKN$\u0018)\u001e;i_JL'0\u001a\"z%\u0016\u001cx.\u001e:dKRK\b/Z%t_2\fG/[8o+:\u0014X\r\\1uK\u0012$UM\\=X_:$Hi\\7j]\u0006$X-\u00117m_^D3!EA\u0003\u00039\"Xm\u001d;BkRDwN]5{K\nK(+Z:pkJ\u001cW\rV=qK\u0012+g.\u001f+bW\u0016\u001c\bK]3dK\u0012,gnY3)\u0007I\t)!A\u001cuKN$\u0018)\u001e;i_JL'0\u001a\"z%\u0016\u001cx.\u001e:dKRK\b/\u001a)sK\u001aL\u00070\u001a3SKN|WO]2f\t\u0016t\u0017\u0010R8nS:\fG/\u001a\u0015\u0004'\u0005\u0015\u0011a\u000e;fgR\fU\u000f\u001e5pe&TXMQ=SKN|WO]2f)f\u0004XmV5mI\u000e\f'\u000f\u001a*fg>,(oY3EK:LHi\\7j]\u0006$X\rK\u0002\u0015\u0003\u000b\ta\u0006^3ti\u0006+H\u000f[8sSj,')\u001f*fg>,(oY3UsB,w+\u001b;i\u00032dw\n]3sCRLwN\\!dK\"\u001aQ#!\u0002\u0002SQ,7\u000f^!vi\"|'/\u001b>f\u0005f\u0014Vm]8ve\u000e,G+\u001f9f/&$\b.\u00117m\u0011>\u001cH/Q2fQ\r1\u0012QA\u0001/i\u0016\u001cH/Q;uQ>\u0014\u0018N_3CsJ+7o\\;sG\u0016$\u0016\u0010]3XSRD\u0017\t\u001c7Qe&t7-\u001b9bY\u0006\u001bW\rK\u0002\u0018\u0003\u000b\tA\u0006^3ti\u0006+H\u000f[8su\u0016\u0014\u0015PU3t_V\u00148-\u001a+za\u0016\u001cV\u000f]3s+N,'\u000fS1t\u0003\u000e\u001cWm]:)\u0007a\t)!A\toK^\u0014V-];fgR\u001cuN\u001c;fqR$r!WA\u001f\u0003\u007f\ty\u0005C\u0003L3\u0001\u0007Q\nC\u0004\u0002Be\u0001\r!a\u0011\u0002\u001b\rd\u0017.\u001a8u\u0003\u0012$'/Z:t!\u0011\t)%a\u0013\u000e\u0005\u0005\u001d#bAA%\u000b\u0006\u0019a.\u001a;\n\t\u00055\u0013q\t\u0002\f\u0013:,G/\u00113ee\u0016\u001c8\u000fC\u0005\u0002Re\u0001\n\u00111\u0001\u0002T\u00051\u0011\r]5LKf\u0004B!!\u0016\u0002\\5\u0011\u0011q\u000b\u0006\u0004\u00033\u0012\u0016\u0001\u00039s_R|7m\u001c7\n\t\u0005u\u0013q\u000b\u0002\b\u0003BL7*Z=t\u0003mqWm\u001e*fcV,7\u000f^\"p]R,\u0007\u0010\u001e\u0013eK\u001a\fW\u000f\u001c;%gU\u0011\u00111\r\u0016\u0005\u0003'\n)g\u000b\u0002\u0002hA!\u0011\u0011NA:\u001b\t\tYG\u0003\u0003\u0002n\u0005=\u0014!C;oG\",7m[3e\u0015\r\t\t(K\u0001\u000bC:tw\u000e^1uS>t\u0017\u0002BA;\u0003W\u0012\u0011#\u001e8dQ\u0016\u001c7.\u001a3WCJL\u0017M\\2f\u0003]\tW\u000f\u001e5pe&TXMQ=SKN|WO]2f)f\u0004X\r\u0006\u0006\u0002|\u0005\u0005\u00151QAC\u0003+\u00032\u0001KA?\u0013\r\ty(\u000b\u0002\b\u0005>|G.Z1o\u0011\u0015\u00013\u00041\u00014\u0011\u001596\u00041\u0001Z\u0011\u001d\t9i\u0007a\u0001\u0003\u0013\u000b\u0011b\u001c9fe\u0006$\u0018n\u001c8\u0011\t\u0005-\u0015\u0011S\u0007\u0003\u0003\u001bS1!a$S\u0003\r\t7\r\\\u0005\u0005\u0003'\u000biI\u0001\u0007BG2|\u0005/\u001a:bi&|g\u000eC\u0004\u0002\u0018n\u0001\r!!'\u0002\u0019I,7o\\;sG\u0016$\u0016\u0010]3\u0011\u0007e\fY*C\u0002\u0002\u001ej\u0014ABU3t_V\u00148-\u001a+za\u0016\fq!\u00193e\u0003\u000ed7\u000fF\u00040\u0003G\u000b)+!2\t\u000b\u0001b\u0002\u0019A\u001a\t\u000f\u0005\u001dF\u00041\u0001\u0002*\u0006!\u0011mY3t!\u0019\tY+!/\u0002@:!\u0011QVA[!\r\ty+K\u0007\u0003\u0003cS1!a-&\u0003\u0019a$o\\8u}%\u0019\u0011qW\u0015\u0002\rA\u0013X\rZ3g\u0013\u0011\tY,!0\u0003\u0007M+GOC\u0002\u00028&\u0002B!a#\u0002B&!\u00111YAG\u0005I\t5mY3tg\u000e{g\u000e\u001e:pY\u0016sGO]=\t\r\u0005\u001dG\u00041\u0001y\u0003=\u0011Xm]8ve\u000e,\u0007+\u0019;uKJt\u0017A\u0003:f[>4X-Q2mgRA\u00111PAg\u0003\u001f\f\t\u000eC\u0003!;\u0001\u00071\u0007C\u0004\u0002(v\u0001\r!!+\t\r\u0005\u001dW\u00041\u0001y\u0001")
/* loaded from: input_file:kafka/security/authorizer/BaseAuthorizerTest.class */
public interface BaseAuthorizerTest {
    void kafka$security$authorizer$BaseAuthorizerTest$_setter_$superUsers_$eq(String str);

    void kafka$security$authorizer$BaseAuthorizerTest$_setter_$username_$eq(String str);

    void kafka$security$authorizer$BaseAuthorizerTest$_setter_$username2_$eq(String str);

    void kafka$security$authorizer$BaseAuthorizerTest$_setter_$principal_$eq(KafkaPrincipal kafkaPrincipal);

    void kafka$security$authorizer$BaseAuthorizerTest$_setter_$principal2_$eq(KafkaPrincipal kafkaPrincipal);

    void kafka$security$authorizer$BaseAuthorizerTest$_setter_$requestContext_$eq(RequestContext requestContext);

    void kafka$security$authorizer$BaseAuthorizerTest$_setter_$superUserName_$eq(String str);

    Authorizer authorizer();

    String superUsers();

    String username();

    String username2();

    KafkaPrincipal principal();

    KafkaPrincipal principal2();

    RequestContext requestContext();

    String superUserName();

    KafkaConfig config();

    void config_$eq(KafkaConfig kafkaConfig);

    ZooKeeperClient zooKeeperClient();

    void zooKeeperClient_$eq(ZooKeeperClient zooKeeperClient);

    ResourcePattern resource();

    void resource_$eq(ResourcePattern resourcePattern);

    @Test
    default void testAuthorizeByResourceTypeMultipleAddAndRemove() {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", "user1");
        InetAddress byName = InetAddress.getByName("192.168.1.1");
        ResourcePattern resourcePattern = new ResourcePattern(ResourceType.TOPIC, new StringBuilder(3).append("sb1").append(UUID.randomUUID()).toString(), PatternType.LITERAL);
        AccessControlEntry accessControlEntry = new AccessControlEntry(kafkaPrincipal.toString(), byName.getHostAddress(), AclOperation.READ, AclPermissionType.DENY);
        AccessControlEntry accessControlEntry2 = new AccessControlEntry(kafkaPrincipal.toString(), byName.getHostAddress(), AclOperation.READ, AclPermissionType.ALLOW);
        RequestContext newRequestContext = newRequestContext(kafkaPrincipal, byName, newRequestContext$default$3());
        RichInt$.MODULE$.to$extension(Predef$.MODULE$.intWrapper(1), 10).foreach$mVc$sp(i -> {
            Assertions.assertFalse(this.authorizeByResourceType(this.authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 should not have READ access to any topic when no ACL exists");
            this.addAcls(this.authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry2})), resourcePattern);
            Assertions.assertTrue(this.authorizeByResourceType(this.authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 now should have READ access to at least one topic");
            RichInt$.MODULE$.to$extension(Predef$.MODULE$.intWrapper(1), 10).foreach$mVc$sp(i -> {
                this.addAcls(this.authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry})), resourcePattern);
                Assertions.assertFalse(this.authorizeByResourceType(this.authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 now should not have READ access to any topic");
                this.removeAcls(this.authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry})), resourcePattern);
                this.addAcls(this.authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry2})), resourcePattern);
                Assertions.assertTrue(this.authorizeByResourceType(this.authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 now should have READ access to at least one topic");
            });
            this.removeAcls(this.authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry2})), resourcePattern);
            Assertions.assertFalse(this.authorizeByResourceType(this.authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 now should not have READ access to any topic");
        });
    }

    @Test
    default void testAuthorizeByResourceTypeIsolationUnrelatedDenyWontDominateAllow() {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", "user1");
        KafkaPrincipal kafkaPrincipal2 = new KafkaPrincipal("User", "user2");
        InetAddress byName = InetAddress.getByName("192.168.1.1");
        InetAddress byName2 = InetAddress.getByName("192.168.1.2");
        ResourcePattern resourcePattern = new ResourcePattern(ResourceType.TOPIC, new StringBuilder(3).append("sb1").append(UUID.randomUUID()).toString(), PatternType.LITERAL);
        ResourcePattern resourcePattern2 = new ResourcePattern(ResourceType.TOPIC, new StringBuilder(3).append("sb2").append(UUID.randomUUID()).toString(), PatternType.LITERAL);
        ResourcePattern resourcePattern3 = new ResourcePattern(ResourceType.GROUP, "s", PatternType.PREFIXED);
        AccessControlEntry accessControlEntry = new AccessControlEntry(kafkaPrincipal.toString(), byName.getHostAddress(), AclOperation.READ, AclPermissionType.DENY);
        AccessControlEntry accessControlEntry2 = new AccessControlEntry(kafkaPrincipal2.toString(), byName.getHostAddress(), AclOperation.READ, AclPermissionType.DENY);
        AccessControlEntry accessControlEntry3 = new AccessControlEntry(kafkaPrincipal.toString(), byName2.getHostAddress(), AclOperation.WRITE, AclPermissionType.DENY);
        AccessControlEntry accessControlEntry4 = new AccessControlEntry(kafkaPrincipal.toString(), byName2.getHostAddress(), AclOperation.READ, AclPermissionType.DENY);
        AccessControlEntry accessControlEntry5 = new AccessControlEntry(kafkaPrincipal.toString(), byName2.getHostAddress(), AclOperation.READ, AclPermissionType.DENY);
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry, accessControlEntry2, accessControlEntry3, new AccessControlEntry(kafkaPrincipal2.toString(), byName2.getHostAddress(), AclOperation.READ, AclPermissionType.DENY), new AccessControlEntry(kafkaPrincipal.toString(), byName2.getHostAddress(), AclOperation.READ, AclPermissionType.ALLOW)})), resourcePattern);
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry4})), resourcePattern2);
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry5})), resourcePattern3);
        RequestContext newRequestContext = newRequestContext(kafkaPrincipal, byName, newRequestContext$default$3());
        RequestContext newRequestContext2 = newRequestContext(kafkaPrincipal, byName2, newRequestContext$default$3());
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 should not have READ access to any topic");
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.GROUP), "User1 from host2 should not have READ access to any consumer group");
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.TRANSACTIONAL_ID), "User1 from host2 should not have READ access to any topic");
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.CLUSTER), "User1 from host2 should not have READ access to any topic");
        Assertions.assertTrue(authorizeByResourceType(authorizer(), newRequestContext2, AclOperation.READ, ResourceType.TOPIC), "User1 from host2 should have READ access to at least one topic");
    }

    @Test
    default void testAuthorizeByResourceTypeDenyTakesPrecedence() {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", "user1");
        InetAddress byName = InetAddress.getByName("192.168.1.1");
        ResourcePattern resourcePattern = new ResourcePattern(ResourceType.TOPIC, new StringBuilder(3).append("sb1").append(UUID.randomUUID()).toString(), PatternType.LITERAL);
        RequestContext newRequestContext = newRequestContext(kafkaPrincipal, byName, newRequestContext$default$3());
        AccessControlEntry accessControlEntry = new AccessControlEntry(kafkaPrincipal.toString(), byName.getHostAddress(), AclOperation.WRITE, AclPermissionType.ALLOW);
        AccessControlEntry accessControlEntry2 = new AccessControlEntry(kafkaPrincipal.toString(), byName.getHostAddress(), AclOperation.WRITE, AclPermissionType.DENY);
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry})), resourcePattern);
        Assertions.assertTrue(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.WRITE, ResourceType.TOPIC), "User1 from host1 should have WRITE access to at least one topic");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry2})), resourcePattern);
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.WRITE, ResourceType.TOPIC), "User1 from host1 should not have WRITE access to any topic");
    }

    @Test
    default void testAuthorizeByResourceTypePrefixedResourceDenyDominate() {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", "user1");
        InetAddress byName = InetAddress.getByName("192.168.1.1");
        ResourcePattern resourcePattern = new ResourcePattern(ResourceType.GROUP, "a", PatternType.PREFIXED);
        ResourcePattern resourcePattern2 = new ResourcePattern(ResourceType.GROUP, "ab", PatternType.PREFIXED);
        ResourcePattern resourcePattern3 = new ResourcePattern(ResourceType.GROUP, "abc", PatternType.PREFIXED);
        ResourcePattern resourcePattern4 = new ResourcePattern(ResourceType.GROUP, "abcd", PatternType.PREFIXED);
        ResourcePattern resourcePattern5 = new ResourcePattern(ResourceType.GROUP, "abcde", PatternType.PREFIXED);
        RequestContext newRequestContext = newRequestContext(kafkaPrincipal, byName, newRequestContext$default$3());
        AccessControlEntry accessControlEntry = new AccessControlEntry(kafkaPrincipal.toString(), byName.getHostAddress(), AclOperation.READ, AclPermissionType.ALLOW);
        AccessControlEntry accessControlEntry2 = new AccessControlEntry(kafkaPrincipal.toString(), byName.getHostAddress(), AclOperation.READ, AclPermissionType.DENY);
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry})), resourcePattern5);
        Assertions.assertTrue(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.GROUP), "User1 from host1 should have READ access to at least one group");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry2})), resourcePattern4);
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.GROUP), "User1 from host1 now should not have READ access to any group");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry})), resourcePattern3);
        Assertions.assertTrue(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.GROUP), "User1 from host1 now should have READ access to any group");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry2})), resourcePattern);
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.GROUP), "User1 from host1 now should not have READ access to any group");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry})), resourcePattern2);
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.GROUP), "User1 from host1 still should not have READ access to any group");
    }

    @Test
    default void testAuthorizeByResourceTypeWildcardResourceDenyDominate() {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", "user1");
        InetAddress byName = InetAddress.getByName("192.168.1.1");
        ResourcePattern resourcePattern = new ResourcePattern(ResourceType.GROUP, "*", PatternType.LITERAL);
        ResourcePattern resourcePattern2 = new ResourcePattern(ResourceType.GROUP, "hello", PatternType.PREFIXED);
        ResourcePattern resourcePattern3 = new ResourcePattern(ResourceType.GROUP, "aloha", PatternType.LITERAL);
        RequestContext newRequestContext = newRequestContext(kafkaPrincipal, byName, newRequestContext$default$3());
        AccessControlEntry accessControlEntry = new AccessControlEntry(kafkaPrincipal.toString(), byName.getHostAddress(), AclOperation.WRITE, AclPermissionType.ALLOW);
        AccessControlEntry accessControlEntry2 = new AccessControlEntry(kafkaPrincipal.toString(), byName.getHostAddress(), AclOperation.WRITE, AclPermissionType.DENY);
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry})), resourcePattern2);
        Assertions.assertTrue(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.WRITE, ResourceType.GROUP), "User1 from host1 should have WRITE access to at least one group");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry2})), resourcePattern);
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.WRITE, ResourceType.GROUP), "User1 from host1 now should not have WRITE access to any group");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry})), resourcePattern);
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.WRITE, ResourceType.GROUP), "User1 from host1 still should not have WRITE access to any group");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry})), resourcePattern3);
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.WRITE, ResourceType.GROUP), "User1 from host1 still should not have WRITE access to any group");
    }

    @Test
    default void testAuthorizeByResourceTypeWithAllOperationAce() {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", "user1");
        InetAddress byName = InetAddress.getByName("192.168.1.1");
        ResourcePattern resourcePattern = new ResourcePattern(ResourceType.TOPIC, new StringBuilder(3).append("sb1").append(UUID.randomUUID()).toString(), PatternType.LITERAL);
        AccessControlEntry accessControlEntry = new AccessControlEntry(kafkaPrincipal.toString(), byName.getHostAddress(), AclOperation.ALL, AclPermissionType.DENY);
        AccessControlEntry accessControlEntry2 = new AccessControlEntry(kafkaPrincipal.toString(), byName.getHostAddress(), AclOperation.ALL, AclPermissionType.ALLOW);
        AccessControlEntry accessControlEntry3 = new AccessControlEntry(kafkaPrincipal.toString(), byName.getHostAddress(), AclOperation.WRITE, AclPermissionType.DENY);
        RequestContext newRequestContext = newRequestContext(kafkaPrincipal, byName, newRequestContext$default$3());
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 should not have READ access to any topic when no ACL exists");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry3, accessControlEntry2})), resourcePattern);
        Assertions.assertTrue(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 now should have READ access to at least one topic");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry})), resourcePattern);
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 now should not have READ access to any topic");
    }

    @Test
    default void testAuthorizeByResourceTypeWithAllHostAce() {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", "user1");
        InetAddress byName = InetAddress.getByName("192.168.1.1");
        InetAddress byName2 = InetAddress.getByName("192.168.1.2");
        String WildcardHost = AclEntry$.MODULE$.WildcardHost();
        ResourcePattern resourcePattern = new ResourcePattern(ResourceType.TOPIC, new StringBuilder(3).append("sb1").append(UUID.randomUUID()).toString(), PatternType.LITERAL);
        ResourcePattern resourcePattern2 = new ResourcePattern(ResourceType.TOPIC, new StringBuilder(3).append("sb2").append(UUID.randomUUID()).toString(), PatternType.LITERAL);
        AccessControlEntry accessControlEntry = new AccessControlEntry(kafkaPrincipal.toString(), byName.getHostAddress(), AclOperation.READ, AclPermissionType.ALLOW);
        AccessControlEntry accessControlEntry2 = new AccessControlEntry(kafkaPrincipal.toString(), byName.getHostAddress(), AclOperation.READ, AclPermissionType.DENY);
        AccessControlEntry accessControlEntry3 = new AccessControlEntry(kafkaPrincipal.toString(), WildcardHost, AclOperation.READ, AclPermissionType.DENY);
        AccessControlEntry accessControlEntry4 = new AccessControlEntry(kafkaPrincipal.toString(), WildcardHost, AclOperation.READ, AclPermissionType.ALLOW);
        RequestContext newRequestContext = newRequestContext(kafkaPrincipal, byName, newRequestContext$default$3());
        RequestContext newRequestContext2 = newRequestContext(kafkaPrincipal, byName2, newRequestContext$default$3());
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 should not have READ access to any topic when no ACL exists");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry})), resourcePattern);
        Assertions.assertTrue(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 should now have READ access to at least one topic");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry3})), resourcePattern);
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 now shouldn't have READ access to any topic");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry2})), resourcePattern2);
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 still should not have READ access to any topic");
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext2, AclOperation.READ, ResourceType.TOPIC), "User1 from host2 should not have READ access to any topic");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry4})), resourcePattern2);
        Assertions.assertTrue(authorizeByResourceType(authorizer(), newRequestContext2, AclOperation.READ, ResourceType.TOPIC), "User1 from host2 should now have READ access to at least one topic");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry3})), resourcePattern2);
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext2, AclOperation.READ, ResourceType.TOPIC), "User1 from host2 now shouldn't have READ access to any topic");
    }

    @Test
    default void testAuthorizeByResourceTypeWithAllPrincipalAce() {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", "user1");
        KafkaPrincipal kafkaPrincipal2 = new KafkaPrincipal("User", "user2");
        String WildcardPrincipalString = AclEntry$.MODULE$.WildcardPrincipalString();
        InetAddress byName = InetAddress.getByName("192.168.1.1");
        ResourcePattern resourcePattern = new ResourcePattern(ResourceType.TOPIC, new StringBuilder(3).append("sb1").append(UUID.randomUUID()).toString(), PatternType.LITERAL);
        ResourcePattern resourcePattern2 = new ResourcePattern(ResourceType.TOPIC, new StringBuilder(3).append("sb2").append(UUID.randomUUID()).toString(), PatternType.LITERAL);
        AccessControlEntry accessControlEntry = new AccessControlEntry(kafkaPrincipal.toString(), byName.getHostAddress(), AclOperation.READ, AclPermissionType.ALLOW);
        AccessControlEntry accessControlEntry2 = new AccessControlEntry(kafkaPrincipal.toString(), byName.getHostAddress(), AclOperation.READ, AclPermissionType.DENY);
        AccessControlEntry accessControlEntry3 = new AccessControlEntry(WildcardPrincipalString, byName.getHostAddress(), AclOperation.READ, AclPermissionType.DENY);
        AccessControlEntry accessControlEntry4 = new AccessControlEntry(WildcardPrincipalString, byName.getHostAddress(), AclOperation.READ, AclPermissionType.ALLOW);
        RequestContext newRequestContext = newRequestContext(kafkaPrincipal, byName, newRequestContext$default$3());
        RequestContext newRequestContext2 = newRequestContext(kafkaPrincipal2, byName, newRequestContext$default$3());
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 should not have READ access to any topic when no ACL exists");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry})), resourcePattern);
        Assertions.assertTrue(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 should now have READ access to at least one topic");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry3})), resourcePattern);
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 now shouldn't have READ access to any topic");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry2})), resourcePattern2);
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "User1 from host1 still should not have READ access to any topic");
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext2, AclOperation.READ, ResourceType.TOPIC), "User2 from host1 should not have READ access to any topic");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry4})), resourcePattern2);
        Assertions.assertTrue(authorizeByResourceType(authorizer(), newRequestContext2, AclOperation.READ, ResourceType.TOPIC), "User2 from host1 should now have READ access to at least one topic");
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry3})), resourcePattern2);
        Assertions.assertFalse(authorizeByResourceType(authorizer(), newRequestContext2, AclOperation.READ, ResourceType.TOPIC), "User2 from host1 now shouldn't have READ access to any topic");
    }

    @Test
    default void testAuthorzeByResourceTypeSuperUserHasAccess() {
        AccessControlEntry accessControlEntry = new AccessControlEntry(AclEntry$.MODULE$.WildcardPrincipalString(), AclEntry$.MODULE$.WildcardHost(), AclOperation.ALL, AclPermissionType.DENY);
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", superUserName());
        InetAddress byName = InetAddress.getByName("192.0.4.4");
        ResourcePattern resourcePattern = new ResourcePattern(ResourceType.TOPIC, "*", PatternType.LITERAL);
        ResourcePattern resourcePattern2 = new ResourcePattern(ResourceType.CLUSTER, "*", PatternType.LITERAL);
        ResourcePattern resourcePattern3 = new ResourcePattern(ResourceType.GROUP, "*", PatternType.LITERAL);
        ResourcePattern resourcePattern4 = new ResourcePattern(ResourceType.TRANSACTIONAL_ID, "*", PatternType.LITERAL);
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry})), resourcePattern);
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry})), resourcePattern2);
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry})), resourcePattern3);
        addAcls(authorizer(), (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AccessControlEntry[]{accessControlEntry})), resourcePattern4);
        RequestContext newRequestContext = newRequestContext(kafkaPrincipal, byName, newRequestContext$default$3());
        Assertions.assertTrue(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.TOPIC), "superuser always has access, no matter what acls.");
        Assertions.assertTrue(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.CLUSTER), "superuser always has access, no matter what acls.");
        Assertions.assertTrue(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.GROUP), "superuser always has access, no matter what acls.");
        Assertions.assertTrue(authorizeByResourceType(authorizer(), newRequestContext, AclOperation.READ, ResourceType.TRANSACTIONAL_ID), "superuser always has access, no matter what acls.");
    }

    default RequestContext newRequestContext(KafkaPrincipal kafkaPrincipal, InetAddress inetAddress, ApiKeys apiKeys) {
        SecurityProtocol securityProtocol = SecurityProtocol.SASL_PLAINTEXT;
        return new RequestContext(new RequestHeader(apiKeys, (short) 2, "", 1), "", inetAddress, kafkaPrincipal, ListenerName.forSecurityProtocol(securityProtocol), securityProtocol, ClientInformation.EMPTY, (PathAwareSniHostName) null, false);
    }

    default ApiKeys newRequestContext$default$3() {
        return ApiKeys.PRODUCE;
    }

    default boolean authorizeByResourceType(Authorizer authorizer, RequestContext requestContext, AclOperation aclOperation, ResourceType resourceType) {
        AuthorizationResult authorizeByResourceType = authorizer.authorizeByResourceType(requestContext, aclOperation, resourceType);
        AuthorizationResult authorizationResult = AuthorizationResult.ALLOWED;
        return authorizeByResourceType == null ? authorizationResult == null : authorizeByResourceType.equals(authorizationResult);
    }

    default void addAcls(Authorizer authorizer, Set<AccessControlEntry> set, ResourcePattern resourcePattern) {
        ((IterableOnceOps) CollectionConverters$.MODULE$.ListHasAsScala(authorizer.createAcls(requestContext(), CollectionConverters$.MODULE$.SeqHasAsJava(((Set) set.map(accessControlEntry -> {
            return new AclBinding(resourcePattern, accessControlEntry);
        })).toList()).asJava())).asScala().map(completionStage -> {
            return (AclCreateResult) completionStage.toCompletableFuture().get();
        })).foreach(aclCreateResult -> {
            $anonfun$addAcls$3(aclCreateResult);
            return BoxedUnit.UNIT;
        });
    }

    default boolean removeAcls(Authorizer authorizer, Set<AccessControlEntry> set, ResourcePattern resourcePattern) {
        return ((IterableOnceOps) CollectionConverters$.MODULE$.ListHasAsScala(authorizer.deleteAcls(requestContext(), CollectionConverters$.MODULE$.SeqHasAsJava((set.isEmpty() ? (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new AclBindingFilter[]{new AclBindingFilter(resourcePattern.toFilter(), AccessControlEntryFilter.ANY)})) : (Set) set.map(accessControlEntry -> {
            return new AclBinding(resourcePattern, accessControlEntry).toFilter();
        })).toList()).asJava())).asScala().map(completionStage -> {
            return (AclDeleteResult) completionStage.toCompletableFuture().get();
        })).forall(aclDeleteResult -> {
            return BoxesRunTime.boxToBoolean($anonfun$removeAcls$3(aclDeleteResult));
        });
    }

    static /* synthetic */ void $anonfun$addAcls$3(AclCreateResult aclCreateResult) {
        aclCreateResult.exception().ifPresent(apiException -> {
            throw apiException;
        });
    }

    static /* synthetic */ boolean $anonfun$removeAcls$3(AclDeleteResult aclDeleteResult) {
        aclDeleteResult.exception().ifPresent(apiException -> {
            throw apiException;
        });
        aclDeleteResult.aclBindingDeleteResults().forEach(aclBindingDeleteResult -> {
            aclBindingDeleteResult.exception().ifPresent(apiException2 -> {
                throw apiException2;
            });
        });
        return !aclDeleteResult.aclBindingDeleteResults().isEmpty();
    }

    static void $init$(BaseAuthorizerTest baseAuthorizerTest) {
        baseAuthorizerTest.kafka$security$authorizer$BaseAuthorizerTest$_setter_$superUsers_$eq("User:superuser1; User:superuser2");
        baseAuthorizerTest.kafka$security$authorizer$BaseAuthorizerTest$_setter_$username_$eq("alice");
        baseAuthorizerTest.kafka$security$authorizer$BaseAuthorizerTest$_setter_$username2_$eq("alex");
        baseAuthorizerTest.kafka$security$authorizer$BaseAuthorizerTest$_setter_$principal_$eq(new KafkaPrincipal("User", baseAuthorizerTest.username()));
        baseAuthorizerTest.kafka$security$authorizer$BaseAuthorizerTest$_setter_$principal2_$eq(new KafkaPrincipal("User", baseAuthorizerTest.username2()));
        baseAuthorizerTest.kafka$security$authorizer$BaseAuthorizerTest$_setter_$requestContext_$eq(baseAuthorizerTest.newRequestContext(baseAuthorizerTest.principal(), InetAddress.getByName("192.168.0.1"), baseAuthorizerTest.newRequestContext$default$3()));
        baseAuthorizerTest.kafka$security$authorizer$BaseAuthorizerTest$_setter_$superUserName_$eq("superuser1");
    }
}
