package io.confluent.kafka.multitenant.authorizer;

import io.confluent.kafka.multitenant.MultiTenantPrincipal;
import io.confluent.kafka.multitenant.MultiTenantPrincipalBuilder;
import io.confluent.kafka.multitenant.TenantMetadata;
import io.confluent.kafka.multitenant.integration.test.FileBasedPlainSaslAuthHostNameValidationIntegrationTest;
import io.confluent.kafka.security.authorizer.acl.AclMapper;
import io.confluent.kafka.security.authorizer.acl.ExtendedAccessRuleProvider;
import io.confluent.security.authorizer.AccessRule;
import io.confluent.security.authorizer.AclAccessRule;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizePolicy;
import io.confluent.security.authorizer.ConfluentAuthorizerConfig;
import io.confluent.security.authorizer.PermissionType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.AuthorizeRule;
import io.confluent.security.authorizer.provider.ConfluentBuiltInProviders;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import kafka.server.KafkaConfig;
import org.apache.directory.api.ldap.model.constants.SupportedSaslMechanisms;
import org.apache.kafka.common.acl.AccessControlEntry;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.acl.AclPermissionType;
import org.apache.kafka.common.config.internals.ConfluentConfigs;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.Utils;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;

/* loaded from: input_file:io/confluent/kafka/multitenant/authorizer/TenantAclProviderTest.class */
class TenantAclProviderTest {
    TenantAclProviderTest() {
    }

    @Test
    public void testStandardAuthorizerInitialization() {
        TenantAclProvider tenantAclProvider = new TenantAclProvider();
        tenantAclProvider.configure(sampleKRaftBrokerConfig());
        Assertions.assertTrue(tenantAclProvider.asAuthorizer().isPresent());
    }

    @Test
    public void testMatchTenantWildcardPrincipal() {
        ExtendedAccessRuleProvider extendedAccessRuleProvider = (ExtendedAccessRuleProvider) Mockito.mock(ExtendedAccessRuleProvider.class);
        TenantAclProvider tenantAclProvider = new TenantAclProvider(extendedAccessRuleProvider);
        tenantAclProvider.configure(sampleKRaftBrokerConfig());
        ResourcePattern resourcePattern = new ResourcePattern(ResourceType.TOPIC, "bar", PatternType.LITERAL);
        MultiTenantPrincipal multiTenantPrincipal = new MultiTenantPrincipal("foo", new TenantMetadata.Builder("lkc-12345", "u-15").build());
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal(MultiTenantPrincipal.TENANT_WILDCARD_USER_TYPE, "lkc-12345_");
        Action action = new Action(Scope.ROOT_SCOPE, AclMapper.resourceType(resourcePattern.resourceType()), resourcePattern.name(), AclMapper.operation(AclOperation.READ));
        AccessControlEntry accessControlEntry = new AccessControlEntry(kafkaPrincipal.toString(), "*", AclOperation.READ, AclPermissionType.DENY);
        AuthorizeRule authorizeRule = new AuthorizeRule();
        authorizeRule.addRuleIfNotExist(new AclAccessRule(AclMapper.resourcePattern(resourcePattern), multiTenantPrincipal, PermissionType.DENY, FileBasedPlainSaslAuthHostNameValidationIntegrationTest.LOCAL_HOST_IP, AclMapper.operation(AclOperation.READ), AuthorizePolicy.PolicyType.DENY_ACL, new AclBinding(resourcePattern, accessControlEntry)));
        Mockito.when(extendedAccessRuleProvider.findRule(Utils.mkSet(AccessRule.asBaseKafkaPrincipal(multiTenantPrincipal), kafkaPrincipal), FileBasedPlainSaslAuthHostNameValidationIntegrationTest.LOCAL_HOST_IP, action)).thenReturn(authorizeRule);
        Assertions.assertSame(authorizeRule, tenantAclProvider.findRule(multiTenantPrincipal, Collections.emptySet(), FileBasedPlainSaslAuthHostNameValidationIntegrationTest.LOCAL_HOST_IP, action));
    }

    private Map<String, Object> sampleKRaftBrokerConfig() {
        HashMap hashMap = new HashMap();
        hashMap.put(KafkaConfig.ControllerListenerNamesProp(), "CONTROLLER");
        hashMap.put(ConfluentConfigs.CLUSTER_LINK_ENABLE_CONFIG, "false");
        hashMap.put(KafkaConfig.ProcessRolesProp(), "broker");
        hashMap.put(KafkaConfig.QuorumVotersProp(), "10@localhost:8092");
        hashMap.put(KafkaConfig.NodeIdProp(), MultiTenantPrincipalBuilder.CCLOUD_INTERNAL_USER);
        hashMap.put(KafkaConfig.ListenersProp(), "PLAINTEXT://localhost:9092");
        hashMap.put(KafkaConfig.AuthorizerClassNameProp(), MultiTenantAuthorizer.class.getName());
        hashMap.put(ConfluentConfigs.MULTITENANT_LISTENER_NAMES_CONFIG, SupportedSaslMechanisms.EXTERNAL);
        hashMap.put(ConfluentAuthorizerConfig.ACCESS_RULE_PROVIDERS_PROP, ConfluentBuiltInProviders.AccessRuleProviders.MULTI_TENANT.name());
        return hashMap;
    }
}
