package io.confluent.kafka.multitenant.authorizer;

import io.confluent.kafka.server.plugins.auth.DefaultUserMetaDataStore;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.stream.Collectors;
import org.apache.kafka.common.Uuid;
import org.apache.kafka.common.acl.AccessControlEntry;
import org.apache.kafka.common.acl.AccessControlEntryFilter;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.acl.AclPermissionType;
import org.apache.kafka.common.config.internals.ConfluentConfigs;
import org.apache.kafka.common.errors.ApiException;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.common.resource.ResourcePatternFilter;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.metadata.authorizer.StandardAuthorizerData;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.apache.kafka.test.TestUtils;
import org.apache.maven.artifact.Artifact;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;

/* loaded from: input_file:io/confluent/kafka/multitenant/authorizer/MultiTenantAuthorizerUnitTest.class */
public class MultiTenantAuthorizerUnitTest {
    private static String prefixPrincipal = "TenantUser:lck-abc_";
    private static DefaultUserMetaDataStore userMetaDataStore;
    private static Map<String, String> userResourceIdToUserId;
    private static Map<String, String> userIdToUserResourceId;
    private static List<String> userAndResourceIds;
    private final String userResourceId2 = "u-2";
    private final String userResourceId3 = "u-3";
    private final String userId2 = "2";
    private final String userId3 = ConfluentConfigs.AUDIT_LOGGER_REPLICATION_FACTOR_DEFAULT;

    @BeforeEach
    void setUp() {
        userResourceIdToUserId = new ConcurrentHashMap();
        userIdToUserResourceId = new ConcurrentHashMap();
        userAndResourceIds = Collections.unmodifiableList(Arrays.asList("2", ConfluentConfigs.AUDIT_LOGGER_REPLICATION_FACTOR_DEFAULT, "u-2", "u-3"));
        userResourceIdToUserId.put("u-2", "2");
        userIdToUserResourceId.put("2", "u-2");
    }

    @Test
    public void testDeleteAclsWithUserResource() {
        userMetaDataStore = (DefaultUserMetaDataStore) Mockito.mock(DefaultUserMetaDataStore.class);
        for (String str : userAndResourceIds) {
            Mockito.when(userMetaDataStore.userResourceIdToUserId(str)).thenReturn(Optional.ofNullable(userResourceIdToUserId.get(str)));
            Mockito.when(userMetaDataStore.userIdToUserResourceId(str)).thenReturn(Optional.ofNullable(userIdToUserResourceId.get(str)));
        }
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        ArrayList arrayList3 = new ArrayList();
        arrayList.add(getAclBindindFilter(principal("2")));
        arrayList2.add(getAclDeleteResult(principal("2"), 3));
        arrayList3.add(getAclDeleteResult(principal("u-2"), 2));
        arrayList.add(getAclBindindFilter(principal("u-2")));
        arrayList2.add(getAclDeleteResult(principal("u-2"), 3));
        arrayList3.add(getAclDeleteResult(principal("2"), 2));
        arrayList.add(AclBindingFilter.ANY);
        Collection<AclDeleteResult.AclBindingDeleteResult> aclBindingDeleteResult = getAclBindingDeleteResult(principal("u-2"), 2);
        aclBindingDeleteResult.addAll(getAclBindingDeleteResult(principal("2"), 1));
        aclBindingDeleteResult.addAll(getAclBindingDeleteResult(principal(ConfluentConfigs.AUDIT_LOGGER_REPLICATION_FACTOR_DEFAULT), 1));
        aclBindingDeleteResult.addAll(getAclBindingDeleteResult(principal("u-3"), 1));
        arrayList2.add(CompletableFuture.completedFuture(new AclDeleteResult(aclBindingDeleteResult)));
        arrayList3.add(CompletableFuture.completedFuture(new AclDeleteResult(getAclBindingDeleteResult(StandardAuthorizerData.WILDCARD_PRINCIPAL, 0))));
        arrayList.add(getAclBindindFilter("UserV2:*"));
        arrayList2.add(CompletableFuture.completedFuture(new AclDeleteResult(getAclBindingDeleteResult(StandardAuthorizerData.WILDCARD_PRINCIPAL, 0))));
        arrayList3.add(CompletableFuture.completedFuture(new AclDeleteResult(aclBindingDeleteResult)));
        arrayList.add(getAclBindindFilter(principal("2")));
        arrayList2.add(CompletableFuture.completedFuture(new AclDeleteResult(new ApiException("Ran into exception while deleting the ACLs"))));
        arrayList3.add(getAclDeleteResult(principal("u-2"), 5));
        MultiTenantAuthorizer multiTenantAuthorizer = new MultiTenantAuthorizer();
        multiTenantAuthorizer.updateUserMetaDataStore(userMetaDataStore);
        multiTenantAuthorizer.tenantAuthorizerMetrics();
        List combineAclDeleteResults = multiTenantAuthorizer.combineAclDeleteResults(arrayList, arrayList2, arrayList3);
        Assertions.assertTrue(combineAclDeleteResults.size() == 5);
        for (int i = 0; i < 4; i++) {
            int i2 = i;
            Assertions.assertFalse(((CompletableFuture) combineAclDeleteResults.get(i)).thenAccept(aclDeleteResult -> {
                Assertions.assertTrue(aclDeleteResult.aclBindingDeleteResults().size() == 5);
                Set set = (Set) aclDeleteResult.aclBindingDeleteResults().stream().map(aclBindingDeleteResult2 -> {
                    return aclBindingDeleteResult2.aclBinding().entry().principal();
                }).collect(Collectors.toSet());
                switch (i2) {
                    case 0:
                        Assertions.assertTrue(set.size() == 1 && set.contains(principal("2")));
                        return;
                    case 1:
                        Assertions.assertTrue(set.size() == 1 && set.contains(principal("u-2")));
                        return;
                    case 2:
                        Assertions.assertTrue(set.size() == 3 && set.containsAll(Arrays.asList(principal("2"), principal(ConfluentConfigs.AUDIT_LOGGER_REPLICATION_FACTOR_DEFAULT), principal("u-3"))) && !set.contains("u-2"));
                        return;
                    case 3:
                        Assertions.assertTrue(set.size() == 3 && set.containsAll(Arrays.asList(principal("u-2"), principal(ConfluentConfigs.AUDIT_LOGGER_REPLICATION_FACTOR_DEFAULT), principal("u-3"))) && !set.contains("2"));
                        return;
                    default:
                        return;
                }
            }).isCompletedExceptionally());
        }
        Assertions.assertFalse(((CompletableFuture) combineAclDeleteResults.get(4)).thenAccept(aclDeleteResult2 -> {
            Assertions.assertTrue(aclDeleteResult2.aclBindingDeleteResults().size() == 0 && aclDeleteResult2.exception() != null);
        }).isCompletedExceptionally());
        Assertions.assertTrue(TestUtils.getMetricValue(multiTenantAuthorizer.metrics(), "user-id-to-resource-id-mapping-missing-rate-per-minute") >= 3.0d);
    }

    @Test
    public void testAclLimit() {
        final ArrayList arrayList = new ArrayList();
        final AtomicInteger atomicInteger = new AtomicInteger();
        MultiTenantAuthorizer multiTenantAuthorizer = new MultiTenantAuthorizer() { // from class: io.confluent.kafka.multitenant.authorizer.MultiTenantAuthorizerUnitTest.1
            public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter) {
                atomicInteger.incrementAndGet();
                return arrayList;
            }
        };
        ArrayList arrayList2 = new ArrayList();
        setAcls(arrayList, "tenant_", 0, 10, new Uuid[0]);
        setAcls(arrayList2, "tenant_", 11, 20, new Uuid[0]);
        Assertions.assertFalse(multiTenantAuthorizer.exceedsAclLimit("tenant_", arrayList2, Integer.MAX_VALUE));
        Assertions.assertEquals(0, atomicInteger.get());
        arrayList.clear();
        verifyLimit(multiTenantAuthorizer, "tenant_", 0, 10, 10, false);
        setAcls(arrayList, "tenant_", 0, 5, new Uuid[0]);
        verifyLimit(multiTenantAuthorizer, "tenant_", 5, 5, 10, false);
        setAcls(arrayList, "another-tenant", 0, 20, new Uuid[0]);
        verifyLimit(multiTenantAuthorizer, "tenant_", 0, 10, 10, false);
        setAcls(arrayList, "tenant_", 0, 10, new Uuid[0]);
        verifyLimit(multiTenantAuthorizer, "tenant_", 0, 10, 10, false);
        setAcls(arrayList, "tenant_", 0, 9, new Uuid[0]);
        verifyLimit(multiTenantAuthorizer, "tenant_", 20, 1, 10, false);
        setAcls(arrayList, "tenant_", 0, 10, new Uuid[0]);
        verifyLimit(multiTenantAuthorizer, "tenant_", 20, 1, 10, true);
        setAcls(arrayList, "tenant_", 0, 9, new Uuid[0]);
        verifyLimit(multiTenantAuthorizer, "tenant_", 20, 2, 10, true);
        setAcls(arrayList, "tenant_", 0, 10, Uuid.randomUuid(), Uuid.randomUuid());
        verifyLimit(multiTenantAuthorizer, "tenant_", 0, 10, 10, false);
        setAcls(arrayList, "tenant_", 0, 20, Uuid.randomUuid(), Uuid.randomUuid());
        setAcls(arrayList2, "tenant_", 0, 20, new Uuid[0]);
        verifyLimit(multiTenantAuthorizer, "tenant_", 0, 20, 10, false);
    }

    @Test
    public void testAclOperationMetric() {
        MultiTenantAuthorizer multiTenantAuthorizer = new MultiTenantAuthorizer();
        multiTenantAuthorizer.tenantAuthorizerMetrics();
        multiTenantAuthorizer.recordCreateAclMetric(StandardAuthorizerData.WILDCARD_PRINCIPAL);
        multiTenantAuthorizer.recordDescribeAclMetric("UserV2:*");
        multiTenantAuthorizer.recordDeleteAclMetric("User:sa-1");
        multiTenantAuthorizer.recordCreateAclMetric((String) null);
        multiTenantAuthorizer.recordDescribeAclMetric("User:1");
        multiTenantAuthorizer.recordDeleteAclMetric("User:1");
        for (String str : new String[]{"integer-id", "resource-id"}) {
            Assertions.assertTrue(TestUtils.getMetricValue(multiTenantAuthorizer.metrics(), "create-acl-request-rate", Collections.singletonMap("principal-type", str)) > ConfluentConfigs.IP_CONNECTION_CREATION_RATE_THROTTLE_ENABLE_THRESHOLD_DEFAULT);
            Assertions.assertTrue(TestUtils.getMetricValue(multiTenantAuthorizer.metrics(), "describe-acl-request-rate", Collections.singletonMap("principal-type", str)) > ConfluentConfigs.IP_CONNECTION_CREATION_RATE_THROTTLE_ENABLE_THRESHOLD_DEFAULT);
            Assertions.assertTrue(TestUtils.getMetricValue(multiTenantAuthorizer.metrics(), "delete-acl-request-rate", Collections.singletonMap("principal-type", str)) > ConfluentConfigs.IP_CONNECTION_CREATION_RATE_THROTTLE_ENABLE_THRESHOLD_DEFAULT);
        }
    }

    private void setAcls(List<AclBinding> list, String str, int i, int i2, Uuid... uuidArr) {
        list.clear();
        String str2 = "TenantUser:" + str + "*";
        for (int i3 = 0; i3 < i2; i3++) {
            list.add(new AclBinding(new ResourcePattern(ResourceType.TOPIC, str + "topic" + (i + i3), PatternType.LITERAL), new AccessControlEntry(str2, "", AclOperation.ALL, AclPermissionType.ALLOW, Arrays.asList(uuidArr))));
        }
    }

    private void verifyLimit(MultiTenantAuthorizer multiTenantAuthorizer, String str, int i, int i2, int i3, boolean z) {
        ArrayList arrayList = new ArrayList();
        setAcls(arrayList, str, i, i2, new Uuid[0]);
        Assertions.assertEquals(Boolean.valueOf(z), Boolean.valueOf(multiTenantAuthorizer.exceedsAclLimit(str, arrayList, i3)));
        setAcls(arrayList, str, i, i2, Uuid.randomUuid());
        Assertions.assertEquals(Boolean.valueOf(z), Boolean.valueOf(multiTenantAuthorizer.exceedsAclLimit(str, arrayList, i3)));
        setAcls(arrayList, str, i, i2, Uuid.randomUuid(), Uuid.randomUuid());
        Assertions.assertEquals(Boolean.valueOf(z), Boolean.valueOf(multiTenantAuthorizer.exceedsAclLimit(str, arrayList, i3)));
        setAcls(arrayList, str, i, i2, Uuid.ZERO_UUID);
        Assertions.assertEquals(Boolean.valueOf(z), Boolean.valueOf(multiTenantAuthorizer.exceedsAclLimit(str, arrayList, i3)));
    }

    private String principal(String str) {
        return prefixPrincipal + str;
    }

    private CompletableFuture<AclDeleteResult> getAclDeleteResult(String str, int i) {
        return CompletableFuture.completedFuture(new AclDeleteResult(getAclBindingDeleteResult(str, i)));
    }

    private Collection<AclDeleteResult.AclBindingDeleteResult> getAclBindingDeleteResult(String str, int i) {
        ArrayList arrayList = new ArrayList();
        for (int i2 = 0; i2 < i; i2++) {
            arrayList.add(new AclDeleteResult.AclBindingDeleteResult(getAclBinding(str)));
        }
        return arrayList;
    }

    private AclBinding getAclBinding(String str) {
        return new AclBinding(new ResourcePattern(ResourceType.TOPIC, Artifact.SCOPE_TEST, PatternType.LITERAL), new AccessControlEntry(str, "*", AclOperation.ALL, AclPermissionType.ALLOW));
    }

    private AclBindingFilter getAclBindindFilter(String str) {
        return new AclBindingFilter(new ResourcePatternFilter(ResourceType.ANY, null, PatternType.ANY), new AccessControlEntryFilter(str, null, AclOperation.ANY, AclPermissionType.ANY));
    }
}
