package io.confluent.kafka.server.plugins.policy;

import antlr.Version;
import io.confluent.kafka.multitenant.MultiTenantPrincipal;
import io.confluent.kafka.multitenant.MultiTenantPrincipalBuilder;
import io.confluent.kafka.multitenant.TenantMetadata;
import io.confluent.kafka.server.plugins.policy.AlterConfigPolicy;
import io.netty.handler.ssl.Ciphers;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import kafka.server.KafkaConfig;
import kafka.server.link.ClusterLinkConfig;
import org.apache.kafka.common.config.ConfigResource;
import org.apache.kafka.common.config.ConfluentTopicConfig;
import org.apache.kafka.common.config.LogLevelConfig;
import org.apache.kafka.common.config.SaslConfigs;
import org.apache.kafka.common.config.TopicConfig;
import org.apache.kafka.common.config.internals.ConfluentConfigs;
import org.apache.kafka.common.errors.PolicyViolationException;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.server.policy.AlterConfigPolicy;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/kafka/server/plugins/policy/AlterConfigPolicyTest.class */
public class AlterConfigPolicyTest {
    private AlterConfigPolicy policy;
    private final short minIsr = 1;
    private final short replicationFactor = 3;

    @BeforeEach
    public void setUp() {
        HashMap hashMap = new HashMap();
        hashMap.put(TopicPolicyConfig.REPLICATION_FACTOR_CONFIG, Short.toString((short) 3));
        hashMap.put("confluent.plugins.topic.policy.max.partitions.per.tenant", "21");
        hashMap.put(TopicPolicyConfig.MAX_MESSAGE_BYTES_MAX_CONFIG, "3145728");
        this.policy = new AlterConfigPolicy();
        this.policy.configure(hashMap);
    }

    private AlterConfigPolicy.RequestMetadata requestMetadataWithTopicConfigs(Map<String, String> map) {
        return new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.TOPIC, "dummy"), map, new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1")));
    }

    private AlterConfigPolicy.RequestMetadata requestMetadataWithTopicConfigs() {
        HashMap hashMap = new HashMap();
        hashMap.put("min.insync.replicas", Short.toString((short) 1));
        hashMap.put(TopicConfig.MAX_MESSAGE_BYTES_CONFIG, "4242");
        return requestMetadataWithTopicConfigs(hashMap);
    }

    @Test
    public void validateParamsSetOk() {
        this.policy.validate(requestMetadataWithTopicConfigs());
    }

    @Test
    public void validateNoParamsGivenOk() {
        this.policy.validate(requestMetadataWithTopicConfigs(Collections.emptyMap()));
    }

    @Test
    public void rejectDeleteRetentionMsTooHigh() {
        Map singletonMap = Collections.singletonMap(TopicConfig.DELETE_RETENTION_MS_CONFIG, "60566400001");
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadataWithTopicConfigs(singletonMap));
        });
    }

    @Test
    public void rejectSegmentBytesTooLow() {
        Map singletonMap = Collections.singletonMap(TopicConfig.SEGMENT_BYTES_CONFIG, Integer.toString(52428799));
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadataWithTopicConfigs(singletonMap));
        });
    }

    @Test
    public void rejectSegmentBytesTooHigh() {
        Map singletonMap = Collections.singletonMap(TopicConfig.SEGMENT_BYTES_CONFIG, "1073741825");
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadataWithTopicConfigs(singletonMap));
        });
    }

    @Test
    public void rejectSegmentMsTooLow() {
        Map singletonMap = Collections.singletonMap(TopicConfig.SEGMENT_MS_CONFIG, Long.toString(500000L));
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadataWithTopicConfigs(singletonMap));
        });
    }

    @Test
    public void rejectMaxCompactionLagMsTooLow() {
        Map singletonMap = Collections.singletonMap(TopicConfig.MAX_COMPACTION_LAG_MS_CONFIG, Long.toString(500000L));
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadataWithTopicConfigs(singletonMap));
        });
    }

    @Test
    public void validateAllAllowedProperties() {
        HashMap hashMap = new HashMap();
        hashMap.put(TopicConfig.CLEANUP_POLICY_CONFIG, TopicConfig.CLEANUP_POLICY_DELETE);
        hashMap.put(TopicConfig.MAX_MESSAGE_BYTES_CONFIG, "100");
        hashMap.put(TopicConfig.MESSAGE_TIMESTAMP_DIFFERENCE_MAX_MS_CONFIG, "100");
        hashMap.put(TopicConfig.MESSAGE_TIMESTAMP_TYPE_CONFIG, "CreateTime");
        hashMap.put(TopicConfig.MIN_COMPACTION_LAG_MS_CONFIG, "100");
        hashMap.put(TopicConfig.MAX_COMPACTION_LAG_MS_CONFIG, "604800000");
        hashMap.put(TopicConfig.RETENTION_BYTES_CONFIG, "100");
        hashMap.put(TopicConfig.RETENTION_MS_CONFIG, "135217728");
        hashMap.put(TopicConfig.SEGMENT_MS_CONFIG, "600000");
        this.policy.validate(requestMetadataWithTopicConfigs(hashMap));
    }

    @Test
    public void rejectSchemaValidationProperties() {
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadataWithTopicConfigs(Collections.singletonMap(ConfluentTopicConfig.KEY_SCHEMA_VALIDATION_CONFIG, "true")));
        });
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadataWithTopicConfigs(Collections.singletonMap(ConfluentTopicConfig.KEY_SUBJECT_NAME_STRATEGY_CONFIG, ConfluentTopicConfig.TOPIC_NAME_STRATEGY)));
        });
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadataWithTopicConfigs(Collections.singletonMap(ConfluentTopicConfig.VALUE_SCHEMA_VALIDATION_CONFIG, "true")));
        });
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadataWithTopicConfigs(Collections.singletonMap(ConfluentTopicConfig.VALUE_SUBJECT_NAME_STRATEGY_CONFIG, ConfluentTopicConfig.TOPIC_NAME_STRATEGY)));
        });
    }

    @Test
    public void acceptSchemaValidationPropertiesWhenFeatureEnabled() {
        HashMap hashMap = new HashMap();
        hashMap.put("confluent.schema.validator.multitenant.enable", "true");
        hashMap.put(TopicPolicyConfig.REPLICATION_FACTOR_CONFIG, Short.toString((short) 3));
        this.policy.configure(hashMap);
        HashMap hashMap2 = new HashMap();
        hashMap2.put(ConfluentTopicConfig.KEY_SCHEMA_VALIDATION_CONFIG, "true");
        hashMap2.put(ConfluentTopicConfig.KEY_SUBJECT_NAME_STRATEGY_CONFIG, ConfluentTopicConfig.TOPIC_NAME_STRATEGY);
        hashMap2.put(ConfluentTopicConfig.VALUE_SCHEMA_VALIDATION_CONFIG, "false");
        hashMap2.put(ConfluentTopicConfig.VALUE_SUBJECT_NAME_STRATEGY_CONFIG, ConfluentTopicConfig.TOPIC_NAME_STRATEGY);
        this.policy.validate(requestMetadataWithTopicConfigs(hashMap2));
    }

    @Test
    public void rejectsSmallMinIsrs() {
        Map singletonMap = Collections.singletonMap("min.insync.replicas", Integer.toString(0));
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadataWithTopicConfigs(singletonMap));
        });
    }

    @Test
    public void rejectsLargeMinIsrs() {
        Map singletonMap = Collections.singletonMap("min.insync.replicas", Integer.toString(3));
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadataWithTopicConfigs(singletonMap));
        });
    }

    @Test
    public void acceptsValidMinIsr() {
        this.policy.validate(requestMetadataWithTopicConfigs(Collections.singletonMap("min.insync.replicas", Integer.toString(1))));
        this.policy.validate(requestMetadataWithTopicConfigs(Collections.singletonMap("min.insync.replicas", Integer.toString(2))));
    }

    @Test
    public void rejectDisallowedConfigProperty1() {
        HashMap hashMap = new HashMap();
        hashMap.put(TopicConfig.MAX_MESSAGE_BYTES_CONFIG, "100");
        hashMap.put(TopicConfig.SEGMENT_MS_CONFIG, "100");
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadataWithTopicConfigs(hashMap));
        });
    }

    @Test
    public void rejectDisallowedConfigProperty2() {
        Map singletonMap = Collections.singletonMap(ConfluentTopicConfig.TIER_ENABLE_CONFIG, "true");
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadataWithTopicConfigs(singletonMap));
        });
    }

    @Test
    public void allowAllTopicConfigChangesThroughInternalListener() {
        HashMap hashMap = new HashMap();
        hashMap.put(TopicConfig.MAX_MESSAGE_BYTES_CONFIG, "100");
        hashMap.put(TopicConfig.SEGMENT_MS_CONFIG, "100");
        hashMap.put(ConfluentTopicConfig.TIER_ENABLE_CONFIG, "true");
        this.policy.validate(new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.TOPIC, "dummy"), hashMap, new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "ANONYMOUS")));
    }

    @Test
    public void rejectMaxMessageBytesOutOfRange() {
        Map singletonMap = Collections.singletonMap(TopicConfig.MAX_MESSAGE_BYTES_CONFIG, "4123123");
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadataWithTopicConfigs(singletonMap));
        });
    }

    @Test
    public void acceptMaxMessageBytesAtLimit() {
        this.policy.validate(requestMetadataWithTopicConfigs(Collections.singletonMap(TopicConfig.MAX_MESSAGE_BYTES_CONFIG, "3145728")));
    }

    @Test
    public void acceptMaxMessageBytesInRange() {
        this.policy.validate(requestMetadataWithTopicConfigs(Collections.singletonMap(TopicConfig.MAX_MESSAGE_BYTES_CONFIG, "10000")));
    }

    @Test
    public void testClusterLinkRestrictTopicConfigs() {
        HashMap hashMap = new HashMap();
        hashMap.put(TopicPolicyConfig.SEGMENT_BYTES_MIN_CONFIG, "10000");
        hashMap.put(TopicPolicyConfig.SEGMENT_BYTES_MAX_CONFIG, "1000000");
        hashMap.put(TopicPolicyConfig.SEGMENT_MS_MIN_CONFIG, "100000");
        hashMap.put(TopicPolicyConfig.RETENTION_MS_MAX_CONFIG, "10000000000");
        hashMap.put(TopicPolicyConfig.DELETE_RETENTION_MS_MAX_CONFIG, "10000000000");
        hashMap.put(TopicPolicyConfig.MAX_MESSAGE_BYTES_MAX_CONFIG, "1000000");
        hashMap.put(TopicPolicyConfig.REPLICATION_FACTOR_CONFIG, ConfluentConfigs.AUDIT_LOGGER_REPLICATION_FACTOR_DEFAULT);
        hashMap.put(TopicPolicyConfig.MAX_COMPACTION_LAG_MS_MIN_CONFIG, "10000000");
        this.policy.configure(hashMap);
        HashMap hashMap2 = new HashMap();
        hashMap2.put(TopicConfig.SEGMENT_BYTES_CONFIG, "100");
        hashMap2.put(TopicConfig.SEGMENT_MS_CONFIG, "100");
        hashMap2.put("min.insync.replicas", MultiTenantPrincipalBuilder.CCLOUD_INTERNAL_USER);
        hashMap2.put("min.insync.replicas", MultiTenantPrincipalBuilder.CCLOUD_INTERNAL_USER);
        hashMap2.put(TopicConfig.PREALLOCATE_CONFIG, "true");
        Map<String, String> clusterLinkRestrictTopicConfigs = this.policy.clusterLinkRestrictTopicConfigs(hashMap2);
        Assertions.assertEquals("10000", clusterLinkRestrictTopicConfigs.get(TopicConfig.SEGMENT_BYTES_CONFIG));
        Assertions.assertEquals("100000", clusterLinkRestrictTopicConfigs.get(TopicConfig.SEGMENT_MS_CONFIG));
        Assertions.assertEquals("1", clusterLinkRestrictTopicConfigs.get("min.insync.replicas"));
        Assertions.assertEquals((Object) null, clusterLinkRestrictTopicConfigs.get(TopicConfig.PREALLOCATE_CONFIG));
        HashMap hashMap3 = new HashMap();
        hashMap3.put(TopicConfig.SEGMENT_BYTES_CONFIG, "2000000");
        hashMap3.put(TopicConfig.MAX_MESSAGE_BYTES_CONFIG, "2000000");
        hashMap3.put(TopicConfig.DELETE_RETENTION_MS_CONFIG, "20000000000");
        hashMap3.put(TopicConfig.RETENTION_MS_CONFIG, "20000000000");
        hashMap3.put("min.insync.replicas", ConfluentConfigs.AUDIT_LOGGER_REPLICATION_FACTOR_DEFAULT);
        hashMap3.put(TopicConfig.MAX_COMPACTION_LAG_MS_CONFIG, "123");
        Map<String, String> clusterLinkRestrictTopicConfigs2 = this.policy.clusterLinkRestrictTopicConfigs(hashMap3);
        Assertions.assertEquals("1000000", clusterLinkRestrictTopicConfigs2.get(TopicConfig.SEGMENT_BYTES_CONFIG));
        Assertions.assertEquals("1000000", clusterLinkRestrictTopicConfigs2.get(TopicConfig.MAX_MESSAGE_BYTES_CONFIG));
        Assertions.assertEquals("10000000000", clusterLinkRestrictTopicConfigs2.get(TopicConfig.DELETE_RETENTION_MS_CONFIG));
        Assertions.assertEquals("10000000000", clusterLinkRestrictTopicConfigs2.get(TopicConfig.RETENTION_MS_CONFIG));
        Assertions.assertEquals(Version.version, clusterLinkRestrictTopicConfigs2.get("min.insync.replicas"));
        Assertions.assertEquals("10000000", clusterLinkRestrictTopicConfigs2.get(TopicConfig.MAX_COMPACTION_LAG_MS_CONFIG));
    }

    @Test
    public void allowBrokerConfigUpdatesFromInternalUser() {
        this.policy.validate(createBrokerRequestMetadata(new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "ANONYMOUS")));
    }

    @Test
    public void allowClusterUpdatesForWhitelistedConfigsIfConfigEnabled() {
        enableAlterClusterConfigs();
        HashMap hashMap = new HashMap();
        hashMap.put(AlterConfigPolicy.ClusterPolicyConfig.EXTERNAL_LISTENER_SSL_CIPHER_SUITES_CONFIG, Ciphers.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
        hashMap.put(KafkaConfig.AutoCreateTopicsEnableProp(), "true");
        hashMap.put(KafkaConfig.NumPartitionsProp(), "50");
        hashMap.put(KafkaConfig.LogRetentionTimeMillisProp(), "7200000");
        hashMap.put(KafkaConfig.LogCleanerMaxCompactionLagMsProp(), "2147483647");
        this.policy.validate(new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, ""), hashMap, new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1"))));
    }

    @Test
    public void rejectClusterUpdatesIfAnyConfigIsNotWhitelisted() {
        enableAlterClusterConfigs();
        HashMap hashMap = new HashMap();
        hashMap.put(KafkaConfig.AuthorizerClassNameProp(), "SomeAuthorizer");
        hashMap.put(KafkaConfig.AutoCreateTopicsEnableProp(), "true");
        AlterConfigPolicy.RequestMetadata requestMetadata = new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, ""), hashMap, new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1")));
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadata);
        });
    }

    @Test
    public void rejectSpecificBrokerConfigUpdatesFromTenant() {
        enableAlterClusterConfigs();
        AlterConfigPolicy.RequestMetadata requestMetadata = new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, "1"), Collections.singletonMap(AlterConfigPolicy.ClusterPolicyConfig.EXTERNAL_LISTENER_SSL_CIPHER_SUITES_CONFIG, Ciphers.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1")));
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadata);
        });
    }

    @Test
    public void rejectBrokerConfigUpdatesFromTenantByDefault() {
        AlterConfigPolicy.RequestMetadata createBrokerRequestMetadata = createBrokerRequestMetadata(new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1")));
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(createBrokerRequestMetadata);
        });
    }

    @Test
    public void allowClusterUpdatesWithValidSslCiphers() {
        enableAlterClusterConfigs();
        this.policy.validate(new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, ""), Collections.singletonMap(AlterConfigPolicy.ClusterPolicyConfig.EXTERNAL_LISTENER_SSL_CIPHER_SUITES_CONFIG, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls_ecdhe_rsa_with_chacha20_poly1305_sha256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"), new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1"))));
    }

    @Test
    public void rejectClusterUpdatesWithInvalidSslCiphers() {
        enableAlterClusterConfigs();
        AlterConfigPolicy.RequestMetadata requestMetadata = new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, ""), Collections.singletonMap(AlterConfigPolicy.ClusterPolicyConfig.EXTERNAL_LISTENER_SSL_CIPHER_SUITES_CONFIG, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1")));
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadata);
        });
    }

    @Test
    public void allowClusterUpdatesWithValidNumPartitionsMin() {
        enableAlterClusterConfigs();
        this.policy.validate(new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, ""), Collections.singletonMap(KafkaConfig.NumPartitionsProp(), "1"), new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1"))));
    }

    @Test
    public void allowClusterUpdatesWithValidNumPartitionsMax() {
        enableAlterClusterConfigs();
        this.policy.validate(new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, ""), Collections.singletonMap(KafkaConfig.NumPartitionsProp(), "100"), new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1"))));
    }

    @Test
    public void rejectClusterUpdatesWithInvalidNumPartitionsMin() {
        enableAlterClusterConfigs();
        AlterConfigPolicy.RequestMetadata requestMetadata = new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, ""), Collections.singletonMap(KafkaConfig.NumPartitionsProp(), MultiTenantPrincipalBuilder.CCLOUD_INTERNAL_USER), new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1")));
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadata);
        });
    }

    @Test
    public void rejectClusterUpdatesWithInvalidNumPartitionsMax() {
        enableAlterClusterConfigs();
        AlterConfigPolicy.RequestMetadata requestMetadata = new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, ""), Collections.singletonMap(KafkaConfig.NumPartitionsProp(), "101"), new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1")));
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadata);
        });
    }

    @Test
    public void allowClusterUpdatesWithValidRetentionMsMin() {
        enableAlterClusterConfigs();
        this.policy.validate(new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, ""), Collections.singletonMap(KafkaConfig.LogRetentionTimeMillisProp(), "3600000"), new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1"))));
    }

    @Test
    public void allowClusterUpdatesWithValidRetentionMsMax() {
        enableAlterClusterConfigs();
        this.policy.validate(new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, ""), Collections.singletonMap(KafkaConfig.LogRetentionTimeMillisProp(), String.valueOf(Long.MAX_VALUE)), new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1"))));
    }

    @Test
    public void rejectClusterUpdatesWithInvalidRetentionMsMin() {
        enableAlterClusterConfigs();
        AlterConfigPolicy.RequestMetadata requestMetadata = new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, ""), Collections.singletonMap(KafkaConfig.LogRetentionTimeMillisProp(), "3599999"), new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1")));
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadata);
        });
    }

    @Test
    public void allowClusterUpdatesWithInfiniteRetention() {
        enableAlterClusterConfigs();
        this.policy.validate(new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, ""), Collections.singletonMap(KafkaConfig.LogRetentionTimeMillisProp(), "-1"), new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1"))));
    }

    @Test
    public void rejectClusterUpdatesWithInvalidRetentionMsNegative() {
        enableAlterClusterConfigs();
        AlterConfigPolicy.RequestMetadata requestMetadata = new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, ""), Collections.singletonMap(KafkaConfig.LogRetentionTimeMillisProp(), "-2"), new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1")));
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadata);
        });
    }

    @Test
    public void allowClusterUpdatesWithValidMaxCompactionLagMsMin() {
        enableAlterClusterConfigs();
        this.policy.validate(new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, ""), Collections.singletonMap(KafkaConfig.LogCleanerMaxCompactionLagMsProp(), "604800000"), new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1"))));
    }

    @Test
    public void rejectClusterUpdatesWithInvalidMaxCompactionLagMsMin() {
        enableAlterClusterConfigs();
        AlterConfigPolicy.RequestMetadata requestMetadata = new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, ""), Collections.singletonMap(KafkaConfig.LogCleanerMaxCompactionLagMsProp(), "604799999"), new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1")));
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadata);
        });
    }

    @Test
    public void rejectsBrokerLoggerUpdatesFromTenant() {
        AlterConfigPolicy.RequestMetadata createBrokerLoggerRequestMetadata = createBrokerLoggerRequestMetadata(new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1")));
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(createBrokerLoggerRequestMetadata);
        });
    }

    @Test
    public void allowsBrokerLoggerUpdatesFromInternalUser() {
        this.policy.validate(createBrokerLoggerRequestMetadata(new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "ANONYMOUS")));
    }

    private void enableAlterClusterConfigs() {
        HashMap hashMap = new HashMap();
        hashMap.put(AlterConfigPolicy.ClusterPolicyConfig.ALTER_ENABLE_CONFIG, "true");
        hashMap.put(TopicPolicyConfig.REPLICATION_FACTOR_CONFIG, Short.toString((short) 3));
        this.policy.configure(hashMap);
    }

    private AlterConfigPolicy.RequestMetadata createBrokerRequestMetadata(KafkaPrincipal kafkaPrincipal) {
        return new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER, "dummy"), Collections.singletonMap(KafkaConfig.MessageMaxBytesProp(), "4242"), kafkaPrincipal);
    }

    private AlterConfigPolicy.RequestMetadata createBrokerLoggerRequestMetadata(KafkaPrincipal kafkaPrincipal) {
        return new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.BROKER_LOGGER, "dummy"), Collections.singletonMap("kafka.tier.archiver.TierArchiver", LogLevelConfig.INFO_LOG_LEVEL), kafkaPrincipal);
    }

    @Test
    public void rejectsUnknownTypeConfigs() {
        AlterConfigPolicy.RequestMetadata requestMetadata = new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.UNKNOWN, "dummy"), Collections.emptyMap(), new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1")));
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            this.policy.validate(requestMetadata);
        });
    }

    @Test
    public void validateClusterLinkEmptyParamsOk() {
        this.policy.validate(requestMetadataWithClusterLinkConfigs(Collections.emptyMap()));
    }

    @Test
    public void validateClusterLinkSetParamsOk() {
        validateClusterLinkConfig(ClusterLinkConfig.AclSyncMsProp(), "10000");
        validateClusterLinkConfig(ClusterLinkConfig.ConsumerOffsetSyncMsProp(), "10000");
        validateClusterLinkConfig(ClusterLinkConfig.TopicConfigSyncMsProp(), "10000");
        validateClusterLinkConfig(KafkaConfig.ReplicaSocketReceiveBufferBytesProp(), "100000");
        validateClusterLinkConfig(SaslConfigs.SASL_MECHANISM, "PLAIN");
        validateClusterLinkConfig(SaslConfigs.SASL_MECHANISM, "plain");
        validateClusterLinkConfig(SaslConfigs.SASL_MECHANISM, "SCRAM-SHA-256");
        validateClusterLinkConfig(SaslConfigs.SASL_MECHANISM, "SCRAM-sha-256");
        validateClusterLinkConfig(SaslConfigs.SASL_MECHANISM, "SCRAM-SHA-512");
        validateClusterLinkConfig(SaslConfigs.SASL_MECHANISM, "Scram-Sha-512");
    }

    @Test
    public void rejectClusterLinkConfigs() {
        rejectClusterLinkConfig(ClusterLinkConfig.AclSyncMsProp(), "1");
        rejectClusterLinkConfig(ClusterLinkConfig.AclSyncMsProp(), "1000000000");
        rejectClusterLinkConfig(ClusterLinkConfig.ConsumerOffsetSyncMsProp(), "1");
        rejectClusterLinkConfig(ClusterLinkConfig.ConsumerOffsetSyncMsProp(), "1000000000");
        rejectClusterLinkConfig(ClusterLinkConfig.TopicConfigSyncMsProp(), "1");
        rejectClusterLinkConfig(ClusterLinkConfig.TopicConfigSyncMsProp(), "1000000000");
        rejectClusterLinkConfig(KafkaConfig.ReplicaSocketReceiveBufferBytesProp(), "1");
        rejectClusterLinkConfig(KafkaConfig.ReplicaSocketReceiveBufferBytesProp(), "1000000000");
        rejectClusterLinkConfig(SaslConfigs.SASL_MECHANISM, "GSSAPI");
        rejectClusterLinkConfig(SaslConfigs.SASL_MECHANISM, "OAUTHBEARER");
        rejectClusterLinkConfig(SaslConfigs.SASL_MECHANISM, "INVALID");
    }

    @Test
    public void rejectUnknownConfigs() {
        rejectClusterLinkConfig("", "1000");
        rejectClusterLinkConfig(".", "1000");
        rejectClusterLinkConfig("bad.config", "1000");
    }

    private AlterConfigPolicy.RequestMetadata requestMetadataWithClusterLinkConfigs(Map<String, String> map) {
        return new AlterConfigPolicy.RequestMetadata(new ConfigResource(ConfigResource.Type.CLUSTER_LINK, "dummy"), map, new MultiTenantPrincipal("tenantUserA", new TenantMetadata("cluster1", "cluster1")));
    }

    private void validateClusterLinkConfig(String str, String str2) {
        this.policy.validate(requestMetadataWithClusterLinkConfigs(Collections.singletonMap(str, str2)));
    }

    private void rejectClusterLinkConfig(String str, String str2) {
        Assertions.assertThrows(PolicyViolationException.class, () -> {
            validateClusterLinkConfig(str, str2);
        });
    }
}
