package io.confluent.kafka.multitenant;

import com.yammer.metrics.core.Meter;
import com.yammer.metrics.core.MetricName;
import io.confluent.kafka.common.multitenant.oauth.OAuthBearerJwsToken;
import io.confluent.kafka.multitenant.TenantMetadata;
import io.confluent.kafka.multitenant.authorizer.MultiTenantAuthorizer;
import io.confluent.security.authentication.oauthbearer.CloudJwtPrincipal;
import io.confluent.security.authorizer.AccessRule;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import java.io.IOException;
import java.net.InetAddress;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.stream.Collectors;
import javax.security.sasl.SaslServer;
import net.jqwik.api.ForAll;
import net.jqwik.api.Property;
import net.jqwik.api.constraints.AlphaChars;
import net.jqwik.api.constraints.Chars;
import net.jqwik.api.constraints.NumericChars;
import net.jqwik.api.constraints.StringLength;
import org.apache.kafka.common.config.internals.BrokerSecurityConfigs;
import org.apache.kafka.common.config.internals.ConfluentConfigs;
import org.apache.kafka.common.errors.SerializationException;
import org.apache.kafka.common.message.ConfluentBrokenPrincipalData;
import org.apache.kafka.common.network.ChannelBuilders;
import org.apache.kafka.common.protocol.MessageUtil;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.SaslAuthenticationContext;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder;
import org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServer;
import org.apache.kafka.server.metrics.KafkaYammerMetrics;
import org.apache.kafka.test.TestUtils;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;

/* loaded from: input_file:io/confluent/kafka/multitenant/MultiTenantPrincipalBuilderTest.class */
public class MultiTenantPrincipalBuilderTest {
    private static final String OAUTH_NEGOTIATED_TOKEN_PROPERTY_KEY = "OAUTHBEARER.token";
    private static Map<String, Object> configs;
    private static PhysicalClusterMetadata metadata;
    private SaslAuthenticationContext context;
    private static final String BROKER_UUID = UUID.randomUUID().toString();
    public static final Path TEMP_DIR = TestUtils.tempDirectory().toPath();

    @BeforeAll
    public static void setUp() throws Exception {
        setUpPhysicalMetadata();
        clearYammerMetrics();
    }

    @AfterAll
    public static void tearDown() throws Exception {
        metadata.close(BROKER_UUID);
    }

    @BeforeEach
    public void clearConfig() {
        configs.remove(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE);
        configs.remove(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC);
    }

    private static void setUpPhysicalMetadata() throws IOException, InterruptedException {
        configs = new HashMap();
        configs.put(BrokerSecurityConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, MultiTenantPrincipalBuilder.class);
        configs.put(ConfluentConfigs.BROKER_SESSION_ID_PROP, BROKER_UUID);
        configs.put(ConfluentConfigs.MULTITENANT_METADATA_DIR_CONFIG, TEMP_DIR.toRealPath(new LinkOption[0]));
        metadata = Utils.initiatePhysicalClusterMetadata(configs);
        Utils.createLogicalClusterFile(Utils.LC_META_ABC, TEMP_DIR);
        Utils.createLogicalClusterFile(Utils.LC_META_1, TEMP_DIR);
        Utils.createLogicalClusterFile(Utils.LC_META_HEALTHCHECK, TEMP_DIR);
        Utils.createLogicalClusterFile(Utils.LC_META_LINK_HEALTHCHECK, TEMP_DIR);
        TestUtils.waitForCondition(() -> {
            return metadata.metadata(Utils.LC_META_LINK_HEALTHCHECK.logicalClusterId()) != null;
        }, "Expected metadata of new logical cluster to be present in metadata cache");
    }

    @Test
    public void testOauthSaslPrincipalIsSuperuserByDefault() {
        mockOAuthSaslContext(Utils.LC_META_ABC.logicalClusterId());
        verifyTenantMetadata(Utils.LC_META_ABC, true);
    }

    @Test
    public void testOauthSaslPrincipalIsSuperuserByDefaultForInternalUsers() {
        mockOAuthSaslContext(Utils.LC_META_ABC.logicalClusterId(), true);
        verifyTenantMetadata(Utils.LC_META_ABC, true);
    }

    @Test
    public void testOauthSaslPrincipalIsNotSuperuserWhenMultitenantOauthSuperuserDisableIsTrue() {
        mockOAuthSaslContext(Utils.LC_META_ABC.logicalClusterId());
        configs.put(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE, "true");
        verifyTenantMetadata(Utils.LC_META_ABC, false);
    }

    @Test
    public void testOauthSaslPrincipalIsNotSuperuserWhenRBACEnabled() {
        mockOAuthSaslContext(Utils.LC_META_ABC.logicalClusterId());
        configs.put(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC, "true");
        verifyTenantMetadata(Utils.LC_META_ABC, false);
    }

    @Test
    public void testOauthSaslPrincipalIsNotSuperuserWhenBothFlagsEnabled() {
        mockOAuthSaslContext(Utils.LC_META_ABC.logicalClusterId());
        configs.put(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC, "true");
        configs.put(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE, "true");
        verifyTenantMetadata(Utils.LC_META_ABC, false);
    }

    @Test
    public void testOauthSaslPrincipalIsSuperuserWhenMultitenantOauthSuperuserDisableIsTrueForInternalUsers() {
        mockOAuthSaslContext(Utils.LC_META_ABC.logicalClusterId(), true);
        configs.put(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE, "true");
        verifyTenantMetadata(Utils.LC_META_ABC, true);
    }

    @Test
    public void testOauthSaslPrincipalIsSuperuserWhenRBACEnabledForInternalUsers() {
        mockOAuthSaslContext(Utils.LC_META_ABC.logicalClusterId(), true);
        configs.put(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC, "true");
        verifyTenantMetadata(Utils.LC_META_ABC, true);
    }

    @Test
    public void testOauthSaslOrgMissingProps() {
        mockOAuthSaslContext(Utils.LC_META_1.logicalClusterId());
        verifyOrgPropsMetric();
    }

    @Test
    public void testPlainSaslOrgMissingProps() {
        mockPlainSaslContext(Utils.LC_META_1.logicalClusterId(), true);
        verifyOrgPropsMetric();
    }

    @Test
    public void testPlainSaslPrincipalIsSuperuserByDefaultForUserAccount() {
        mockPlainSaslContext(Utils.LC_META_ABC.logicalClusterId(), true);
        verifyTenantMetadata(Utils.LC_META_ABC, true);
    }

    @Test
    public void testPlainSaslPrincipalIsNotSuperuserWhenRBACEnabledForUserAccount() {
        mockPlainSaslContext(Utils.LC_META_ABC.logicalClusterId(), true);
        configs.put(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC, "true");
        verifyTenantMetadata(Utils.LC_META_ABC, false);
    }

    @Test
    public void testPlainSaslPrincipalIsSuperuserWhenMultitenantOauthSuperuserDisableIsTrueForUserAccount() {
        mockPlainSaslContext(Utils.LC_META_ABC.logicalClusterId(), true);
        configs.put(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE, "true");
        verifyTenantMetadata(Utils.LC_META_ABC, true);
    }

    @Test
    public void testPlainSaslPrincipalIsSuperuserWhenBothFlagsEnabledForUserAccount() {
        mockPlainSaslContext(Utils.LC_META_ABC.logicalClusterId(), true);
        configs.put(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE, "true");
        configs.put(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC, "true");
        verifyTenantMetadata(Utils.LC_META_ABC, false);
    }

    @Test
    public void testPlainSaslPrincipalIsSuperuserForInternalUsersWhenRBACEnabledForUserAccount() {
        mockPlainSaslContext(Utils.LC_META_ABC.logicalClusterId(), true, true);
        configs.put(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC, "true");
        verifyTenantMetadata(Utils.LC_META_ABC, true);
    }

    @Test
    public void testPlainSaslPrincipalIsNotSuperuserByDefaultForServiceAccount() {
        mockPlainSaslContext(Utils.LC_META_ABC.logicalClusterId(), false);
        verifyTenantMetadata(Utils.LC_META_ABC, false);
    }

    @Test
    public void testPlainSaslPrincipalIsNotSuperuserWhenRBACEnabledForServiceAccount() {
        mockPlainSaslContext(Utils.LC_META_ABC.logicalClusterId(), false);
        configs.put(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC, "true");
        verifyTenantMetadata(Utils.LC_META_ABC, false);
    }

    @Test
    public void testPlainSaslPrincipalIsNotSuperuserWhenWhenMultitenantOauthSuperuserDisableIsTrueForServiceAccount() {
        mockPlainSaslContext(Utils.LC_META_ABC.logicalClusterId(), false);
        configs.put(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE, "true");
        verifyTenantMetadata(Utils.LC_META_ABC, false);
    }

    @Test
    public void testPlainSaslPrincipalIsNotSuperuserWhenBothFlagsEnabledForServiceAccount() {
        mockPlainSaslContext(Utils.LC_META_ABC.logicalClusterId(), false);
        configs.put(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC, "true");
        configs.put(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE, "true");
        verifyTenantMetadata(Utils.LC_META_ABC, false);
    }

    @Test
    public void testPlainSaslPrincipalIsNotSuperuserForInternalUsersWhenRBACEnabledForServiceAccount() {
        mockPlainSaslContext(Utils.LC_META_ABC.logicalClusterId(), false, true);
        configs.put(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC, "true");
        verifyTenantMetadata(Utils.LC_META_ABC, false);
    }

    @Test
    public void testHCPrincipalIsSuperuser() {
        mockPlainSaslContext(Utils.LC_META_HEALTHCHECK.logicalClusterId(), true, true);
        verifyTenantMetadata(Utils.LC_META_HEALTHCHECK, true);
    }

    @Test
    public void testHCPrincipalIsSuperuserWhenRBACEnabled() {
        mockPlainSaslContext(Utils.LC_META_LINK_HEALTHCHECK.logicalClusterId(), true, true);
        configs.put(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC, "true");
        verifyTenantMetadata(Utils.LC_META_LINK_HEALTHCHECK, true);
    }

    @Test
    public void testHCPrincipalIsSuperuserWhenMultitenantOauthSuperuserDisableIsTrue() {
        mockPlainSaslContext(Utils.LC_META_HEALTHCHECK.logicalClusterId(), true, true);
        configs.put(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE, "true");
        verifyTenantMetadata(Utils.LC_META_HEALTHCHECK, true);
    }

    @Test
    public void testHCPrincipalIsSuperuserWhenBothFlagsTrue() {
        mockPlainSaslContext(Utils.LC_META_LINK_HEALTHCHECK.logicalClusterId(), true, true);
        configs.put(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC, "true");
        configs.put(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE, "true");
        verifyTenantMetadata(Utils.LC_META_LINK_HEALTHCHECK, true);
    }

    @Test
    public void testHCOauthPrincipalIsSuperuser() {
        mockOAuthSaslContext(Utils.LC_META_HEALTHCHECK.logicalClusterId());
        verifyTenantMetadata(Utils.LC_META_HEALTHCHECK, true);
    }

    @Test
    public void testHCOauthPrincipalIsSuperuserWhenRBACEnabled() {
        mockOAuthSaslContext(Utils.LC_META_LINK_HEALTHCHECK.logicalClusterId());
        configs.put(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC, "true");
        verifyTenantMetadata(Utils.LC_META_LINK_HEALTHCHECK, true);
    }

    @Test
    public void testHCOauthPrincipalIsSuperuserWhenMultitenantOauthSuperuserDisableIsTrue() {
        mockOAuthSaslContext(Utils.LC_META_HEALTHCHECK.logicalClusterId());
        configs.put(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE, "true");
        verifyTenantMetadata(Utils.LC_META_HEALTHCHECK, true);
    }

    @Test
    public void testHCOauthPrincipalIsSuperuserWhenBothFlagsTrue() {
        mockOAuthSaslContext(Utils.LC_META_LINK_HEALTHCHECK.logicalClusterId());
        configs.put(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC, "true");
        configs.put(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE, "true");
        verifyTenantMetadata(Utils.LC_META_LINK_HEALTHCHECK, true);
    }

    @Test
    public void testOauthServiceAccountIsNotSuperUser() {
        mockOAuthSaslContext(Utils.LC_META_ABC.logicalClusterId(), "12345", "sa-foo");
        verifyTenantMetadata(Utils.LC_META_ABC, false);
    }

    @Test
    public void testMultiTenantPrincipalBuilderSerde_NonMultiTenant() {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "user");
        MultiTenantPrincipalBuilder multiTenantPrincipalBuilder = new MultiTenantPrincipalBuilder();
        Assertions.assertEquals(kafkaPrincipal, multiTenantPrincipalBuilder.deserialize(multiTenantPrincipalBuilder.serialize(kafkaPrincipal)));
    }

    @Test
    public void testMultiTenantPrincipalBuilderSerde_NonMultiTenantCompatibilityWithDefaultKafkaPrincipalBuilder() {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "user");
        Assertions.assertEquals(kafkaPrincipal, new MultiTenantPrincipalBuilder().deserialize(new DefaultKafkaPrincipalBuilder(null, null).serialize(kafkaPrincipal)));
    }

    @Test
    public void testMultiTenantPrincipalBuilderSerde_MultiTenant() {
        MultiTenantPrincipalBuilder multiTenantPrincipalBuilder = new MultiTenantPrincipalBuilder();
        MultiTenantPrincipal multiTenantPrincipal = new MultiTenantPrincipal("user", "saslAuthenticationId", new TenantMetadata("tenantName", "clusterId", CloudJwtPrincipal.CLAIM_ORGANIZATION_ID, "environmentId", "userResourceID", true, true, true));
        Assertions.assertEquals(MultiTenantPrincipal.TENANT_USER_TYPE, multiTenantPrincipal.getPrincipalType());
        KafkaPrincipal deserialize = multiTenantPrincipalBuilder.deserialize(multiTenantPrincipalBuilder.serialize(multiTenantPrincipal));
        Assertions.assertEquals(multiTenantPrincipal, deserialize);
        MultiTenantPrincipal multiTenantPrincipal2 = (MultiTenantPrincipal) deserialize;
        Assertions.assertEquals(multiTenantPrincipal.tenantMetadata().userResourceId, multiTenantPrincipal2.tenantMetadata().userResourceId);
        Assertions.assertEquals(Boolean.valueOf(multiTenantPrincipal.tenantMetadata().isServiceAccount), Boolean.valueOf(multiTenantPrincipal2.tenantMetadata().isServiceAccount));
        Assertions.assertEquals(Boolean.valueOf(multiTenantPrincipal.tenantMetadata().isHealthcheckTenant), Boolean.valueOf(multiTenantPrincipal2.tenantMetadata().isHealthcheckTenant));
        Assertions.assertEquals(Boolean.valueOf(multiTenantPrincipal.tenantMetadata().isApiKeyAuthenticated), Boolean.valueOf(multiTenantPrincipal2.tenantMetadata().isApiKeyAuthenticated));
        Assertions.assertEquals(multiTenantPrincipal.identityMetadata().poolId(), multiTenantPrincipal2.identityMetadata().poolId());
        Assertions.assertNull(multiTenantPrincipal.identityMetadata().poolId());
        MultiTenantPrincipalBuilder multiTenantPrincipalBuilder2 = new MultiTenantPrincipalBuilder();
        MultiTenantPrincipal multiTenantPrincipal3 = new MultiTenantPrincipal("user", "saslAuthenticationId", new TenantMetadata("tenantName", "clusterId", CloudJwtPrincipal.CLAIM_ORGANIZATION_ID, "environmentId", "userResourceID", true, true, true), new IdentityMetadata("poolId"));
        Assertions.assertEquals(MultiTenantPrincipal.TENANT_USER_TYPE, multiTenantPrincipal3.getPrincipalType());
        KafkaPrincipal deserialize2 = multiTenantPrincipalBuilder2.deserialize(multiTenantPrincipalBuilder2.serialize(multiTenantPrincipal3));
        Assertions.assertEquals(multiTenantPrincipal3, deserialize2);
        MultiTenantPrincipal multiTenantPrincipal4 = (MultiTenantPrincipal) deserialize2;
        Assertions.assertEquals(multiTenantPrincipal3.tenantMetadata().userResourceId, multiTenantPrincipal4.tenantMetadata().userResourceId);
        Assertions.assertEquals(Boolean.valueOf(multiTenantPrincipal3.tenantMetadata().isServiceAccount), Boolean.valueOf(multiTenantPrincipal4.tenantMetadata().isServiceAccount));
        Assertions.assertEquals(Boolean.valueOf(multiTenantPrincipal3.tenantMetadata().isHealthcheckTenant), Boolean.valueOf(multiTenantPrincipal4.tenantMetadata().isHealthcheckTenant));
        Assertions.assertEquals(Boolean.valueOf(multiTenantPrincipal3.tenantMetadata().isApiKeyAuthenticated), Boolean.valueOf(multiTenantPrincipal4.tenantMetadata().isApiKeyAuthenticated));
        Assertions.assertEquals(multiTenantPrincipal3.identityMetadata().poolId(), multiTenantPrincipal4.identityMetadata().poolId());
        Assertions.assertEquals("poolId", multiTenantPrincipal3.identityMetadata().poolId());
    }

    @Test
    public void testMultiTenantPrincipalBuilderSerde_RejectsBadType() throws Exception {
        MultiTenantPrincipalBuilder multiTenantPrincipalBuilder = new MultiTenantPrincipalBuilder();
        Arrays.asList(AccessRule.GROUP_PRINCIPAL_TYPE, "whatever").forEach(str -> {
            Assertions.assertTrue(((SerializationException) Assertions.assertThrows(SerializationException.class, () -> {
                multiTenantPrincipalBuilder.deserialize(multiTenantPrincipalBuilder.serialize(new KafkaPrincipal(str, "foo")));
            })).getMessage().startsWith("Invalid principal type "));
        });
    }

    @Test
    public void testUserTenantPrincipalBuilderSerde() {
        UserTenantPrincipalBuilder userTenantPrincipalBuilder = new UserTenantPrincipalBuilder();
        MultiTenantPrincipal multiTenantPrincipal = (MultiTenantPrincipal) userTenantPrincipalBuilder.build(null);
        Assertions.assertEquals(MultiTenantPrincipal.TENANT_USER_TYPE, multiTenantPrincipal.getPrincipalType());
        KafkaPrincipal deserialize = userTenantPrincipalBuilder.deserialize(userTenantPrincipalBuilder.serialize(multiTenantPrincipal));
        Assertions.assertEquals(multiTenantPrincipal, deserialize);
        MultiTenantPrincipal multiTenantPrincipal2 = (MultiTenantPrincipal) deserialize;
        Assertions.assertEquals(multiTenantPrincipal.tenantMetadata().userResourceId, multiTenantPrincipal2.tenantMetadata().userResourceId);
        Assertions.assertEquals(Boolean.valueOf(multiTenantPrincipal.tenantMetadata().isServiceAccount), Boolean.valueOf(multiTenantPrincipal2.tenantMetadata().isServiceAccount));
        Assertions.assertEquals(Boolean.valueOf(multiTenantPrincipal.tenantMetadata().isHealthcheckTenant), Boolean.valueOf(multiTenantPrincipal2.tenantMetadata().isHealthcheckTenant));
        Assertions.assertEquals(Boolean.valueOf(multiTenantPrincipal.tenantMetadata().isApiKeyAuthenticated), Boolean.valueOf(multiTenantPrincipal2.tenantMetadata().isApiKeyAuthenticated));
    }

    @Property(tries = 5000)
    public void testBrokenSchemaFailsParsing(@StringLength(min = 1) @ForAll String str, @ForAll @StringLength(min = 1) @AlphaChars @NumericChars @Chars({'.', '-'}) String str2, @StringLength(min = 1) @ForAll String str3, @ForAll String str4, @ForAll boolean z, @ForAll String str5, @ForAll String str6, @ForAll String str7, @ForAll boolean z2, @ForAll boolean z3, @ForAll boolean z4) {
        byte[] versionPrefixedBytes = MessageUtil.toVersionPrefixedBytes((short) 0, new ConfluentBrokenPrincipalData().setType(MultiTenantPrincipal.TENANT_USER_TYPE).setName(str).setTokenAuthenticated(z).setTenantName(str2).setClusterId(str3).setOrganizationId(str5).setEnvironmentId(str6).setServiceAccount(z2).setApiKeyAuthenticated(z3).setHealthcheckTenant(z4).setUserResourceId(str7).setSaslAuthenticationId(str4));
        UserTenantPrincipalBuilder userTenantPrincipalBuilder = new UserTenantPrincipalBuilder();
        Assertions.assertThrows(SerializationException.class, () -> {
            userTenantPrincipalBuilder.deserialize(versionPrefixedBytes);
        });
    }

    private void verifyTenantMetadata(KafkaLogicalClusterMetadata kafkaLogicalClusterMetadata, boolean z) {
        MultiTenantPrincipal multiTenantPrincipal = (MultiTenantPrincipal) ChannelBuilders.createPrincipalBuilder(configs, null, null).build(this.context);
        Assertions.assertEquals(kafkaLogicalClusterMetadata.logicalClusterId(), multiTenantPrincipal.tenantMetadata().clusterId);
        Assertions.assertEquals(kafkaLogicalClusterMetadata.organizationId(), multiTenantPrincipal.tenantMetadata().organizationId);
        Assertions.assertEquals(kafkaLogicalClusterMetadata.environmentId(), multiTenantPrincipal.tenantMetadata().environmentId);
        Assertions.assertEquals(new Scope.Builder(new String[0]).addPath("organization=" + kafkaLogicalClusterMetadata.organizationId()).addPath("environment=" + kafkaLogicalClusterMetadata.environmentId()).addPath("cloud-cluster=" + kafkaLogicalClusterMetadata.logicalClusterId()).withKafkaCluster(kafkaLogicalClusterMetadata.logicalClusterId()).build(), multiTenantPrincipal.tenantMetadata().scope());
        Assertions.assertEquals(Boolean.valueOf(z), Boolean.valueOf(MultiTenantAuthorizer.isSuperUser(multiTenantPrincipal, new Action(Scope.kafkaClusterScope("foo"), ResourceType.ALL, multiTenantPrincipal.tenantMetadata().clusterId + "_", Operation.ALL), false, "true".equals(configs.get(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC)), "true".equals(configs.get(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE)))));
    }

    private void mockOAuthSaslContext(String str) {
        mockOAuthSaslContext(str, false, true);
    }

    private void mockOAuthSaslContext(String str, boolean z) {
        mockOAuthSaslContext(str, z, true);
    }

    private void mockOAuthSaslContext(String str, boolean z, boolean z2) {
        String str2 = z ? MultiTenantPrincipalBuilder.CCLOUD_INTERNAL_USER : "user";
        mockOAuthSaslContext(str, str2, z2 ? str2 : null);
    }

    private void mockOAuthSaslContext(String str, String str2, String str3) {
        SaslServer saslServer = (SaslServer) Mockito.mock(OAuthBearerSaslServer.class);
        if (str3 != null) {
            Mockito.when(saslServer.getNegotiatedProperty(OAUTH_NEGOTIATED_TOKEN_PROPERTY_KEY)).thenReturn(new OAuthBearerJwsToken("", null, 0L, str2, 0L, Collections.singletonMap("userResourceId", str3)));
        } else {
            Mockito.when(saslServer.getNegotiatedProperty(OAUTH_NEGOTIATED_TOKEN_PROPERTY_KEY)).thenReturn(new OAuthBearerJwsToken("", null, 0L, str2, 0L));
        }
        Mockito.when(saslServer.getNegotiatedProperty(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY)).thenReturn(str);
        this.context = new SaslAuthenticationContext(saslServer, SecurityProtocol.SASL_PLAINTEXT, InetAddress.getLoopbackAddress(), SecurityProtocol.SASL_PLAINTEXT.name());
    }

    private void mockPlainSaslContext(String str, boolean z) {
        mockPlainSaslContext(str, z, false, true);
    }

    private void mockPlainSaslContext(String str, boolean z, boolean z2) {
        mockPlainSaslContext(str, z, z2, true);
    }

    private void mockPlainSaslContext(String str, boolean z, boolean z2, boolean z3) {
        TenantMetadata build;
        boolean z4 = Utils.LC_META_HEALTHCHECK.equals(str) || Utils.LC_META_LINK_HEALTHCHECK.equals(str);
        String str2 = z2 ? MultiTenantPrincipalBuilder.CCLOUD_INTERNAL_USER : "user";
        MultiTenantSaslServer multiTenantSaslServer = (MultiTenantSaslServer) Mockito.mock(MultiTenantSaslServer.class);
        if (z3) {
            build = new TenantMetadata.Builder(str, "u-" + str2).serviceAccount(!z).healthcheckTenant(z4).apiKeyAuthenticated(true).build();
        } else {
            build = new TenantMetadata.Builder(str, null).serviceAccount(!z).healthcheckTenant(z4).apiKeyAuthenticated(true).build();
        }
        Mockito.when(multiTenantSaslServer.tenantMetadata()).thenReturn(build);
        Mockito.when(multiTenantSaslServer.getAuthorizationID()).thenReturn(str2);
        this.context = new SaslAuthenticationContext(multiTenantSaslServer, SecurityProtocol.SASL_PLAINTEXT, InetAddress.getLoopbackAddress(), SecurityProtocol.SASL_PLAINTEXT.name());
    }

    private void verifyOrgPropsMetric() {
        for (int i = 0; i < 10; i++) {
        }
        List list = (List) KafkaYammerMetrics.defaultRegistry().allMetrics().entrySet().stream().filter(entry -> {
            return ((MetricName) entry.getKey()).getName().equals("org-props-missing-rate");
        }).map((v0) -> {
            return v0.getValue();
        }).collect(Collectors.toList());
        Assertions.assertTrue(list.size() > 0);
        Assertions.assertTrue(((int) ((Meter) list.get(0)).count()) >= 10);
    }

    private static void clearYammerMetrics() {
        Iterator<MetricName> it = KafkaYammerMetrics.defaultRegistry().allMetrics().keySet().iterator();
        while (it.hasNext()) {
            KafkaYammerMetrics.defaultRegistry().removeMetric(it.next());
        }
    }
}
