package io.confluent.kafka.multitenant.integration.test;

import io.confluent.kafka.multitenant.MultiTenantPrincipalBuilder;
import io.confluent.kafka.multitenant.PhysicalClusterMetadata;
import io.confluent.kafka.multitenant.Utils;
import io.confluent.kafka.multitenant.authorizer.MultiTenantAuthorizer;
import io.confluent.kafka.multitenant.integration.cluster.LogicalClusterUser;
import io.confluent.kafka.security.audit.event.ConfluentAuthenticationEvent;
import io.confluent.kafka.security.authorizer.MockAuditLogProvider;
import io.confluent.kafka.server.plugins.auth.FileBasedPlainSaslAuthenticatorTest;
import io.confluent.kafka.test.utils.SecurityTestUtils;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Properties;
import java.util.Set;
import java.util.stream.Collectors;
import junit.framework.TestCase;
import kafka.admin.AclCommand;
import kafka.server.KafkaConfig$;
import org.apache.kafka.clients.admin.AdminClient;
import org.apache.kafka.clients.admin.NewTopic;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.errors.AuthenticationException;
import org.apache.kafka.common.errors.SaslAuthenticationException;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.server.audit.AuditEventStatus;
import org.apache.kafka.server.audit.AuthenticationErrorInfo;
import org.apache.kafka.test.IntegrationTest;
import org.apache.kafka.test.TestUtils;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.rules.TemporaryFolder;

@Category({IntegrationTest.class})
/* loaded from: input_file:io/confluent/kafka/multitenant/integration/test/FileBasedPlainSaslAuthIntegrationTest.class */
public class FileBasedPlainSaslAuthIntegrationTest {
    private IntegrationTestHarness testHarness;
    private String brokerUUID;
    private PhysicalClusterMetadata metadata;
    private LogicalClusterUser testUser;
    private final String logicalClusterId = Utils.LC_META_ABC.logicalClusterId();
    private final int serviceUserId = 1;
    private final String serviceUserAPIkey = "APIKEY1";
    private final String serviceUserAPIkeyPassword = "pwd1";
    private final String testTopic = "abcd";
    private final List<NewTopic> sampleTopics = Collections.singletonList(new NewTopic("abcd", 3, 1));
    private final String path = FileBasedPlainSaslAuthenticatorTest.class.getResource("/file_auth_test_apikeys.json").getFile();

    @Rule
    public final TemporaryFolder tempFolder = new TemporaryFolder();

    @Before
    public void setUp() throws Exception {
        MockAuditLogProvider.reset();
        this.testHarness = new IntegrationTestHarness();
        this.testUser = this.testHarness.start(setUpMetadata(brokerProps())).createLogicalCluster(this.logicalClusterId, 100, 1).user(1);
        AclCommand.main(SecurityTestUtils.addTopicAclArgs(this.testHarness.zkConnect(), this.testUser.prefixedKafkaPrincipal(), this.testUser.withPrefix("abcd"), AclOperation.ALL, PatternType.LITERAL));
    }

    @After
    public void tearDown() throws Exception {
        this.testHarness.shutdown();
        this.metadata.close(this.brokerUUID);
    }

    private Properties setUpMetadata(Properties properties) throws IOException, InterruptedException {
        this.brokerUUID = "uuid";
        HashMap hashMap = new HashMap();
        hashMap.put("broker.session.uuid", this.brokerUUID);
        properties.put("broker.session.uuid", this.brokerUUID);
        hashMap.put("multitenant.metadata.dir", this.tempFolder.getRoot().getCanonicalPath());
        this.metadata = Utils.initiatePhysicalClusterMetadata(hashMap);
        Utils.createLogicalClusterFile(Utils.LC_META_ABC, this.tempFolder);
        TestUtils.waitForCondition(() -> {
            return this.metadata.metadata(Utils.LC_META_ABC.logicalClusterId()) != null;
        }, "Expected metadata of new logical cluster to be present in metadata cache");
        return properties;
    }

    private Properties brokerProps() {
        Properties properties = new Properties();
        properties.put("sasl.enabled.mechanisms", Collections.singletonList("PLAIN"));
        properties.put("listener.name.external.principal.builder.class", MultiTenantPrincipalBuilder.class.getName());
        properties.put("listener.name.external.confluent.security.event.logger.authentication.enable", "true");
        properties.put(KafkaConfig$.MODULE$.AuthorizerClassNameProp(), MultiTenantAuthorizer.class.getName());
        properties.put("confluent.security.event.logger.multitenant.enable", "true");
        properties.put("listener.name.external.plain.sasl.jaas.config", "io.confluent.kafka.server.plugins.auth.FileBasedLoginModule required config_path=\"" + this.path + "\" refresh_ms=\"1000\";");
        properties.put(MockAuditLogProvider.AUDIT_PROVIDER_CONFIG, "TEST");
        return properties;
    }

    @Test
    public void testSuccessfulAuthentication() throws Exception {
        AdminClient createPlainAuthAdminClient = this.testHarness.createPlainAuthAdminClient(IntegrationTestHarness.clientPlainJaasConfig("APIKEY1", "pwd1"));
        createPlainAuthAdminClient.createTopics(this.sampleTopics).all().get();
        TestCase.assertTrue(((Set) createPlainAuthAdminClient.listTopics().names().get()).containsAll((List) this.sampleTopics.stream().map((v0) -> {
            return v0.name();
        }).collect(Collectors.toList())));
        ConfluentAuthenticationEvent lastAuthenticationEntry = MockAuditLogProvider.instance.lastAuthenticationEntry();
        Assert.assertEquals("User", ((KafkaPrincipal) lastAuthenticationEntry.principal().get()).getPrincipalType());
        Assert.assertEquals("1", ((KafkaPrincipal) lastAuthenticationEntry.principal().get()).getName());
        Assert.assertEquals(AuditEventStatus.SUCCESS, lastAuthenticationEntry.status());
        Assert.assertFalse(((KafkaPrincipal) lastAuthenticationEntry.principal().get()).toString().contains("tenantMetadata"));
        Assert.assertTrue(lastAuthenticationEntry.getScope().toString().contains("kafka-cluster=lkc-abc"));
        Assert.assertEquals("1", lastAuthenticationEntry.authenticationContext().server().getAuthorizationID());
    }

    @Test
    public void testInvalidPassword() throws InterruptedException {
        TestUtils.assertFutureError(this.testHarness.createPlainAuthAdminClient(IntegrationTestHarness.clientPlainJaasConfig("APIKEY1", "WrongPassword")).createTopics(this.sampleTopics).all(), SaslAuthenticationException.class);
        ConfluentAuthenticationEvent lastAuthenticationEntry = MockAuditLogProvider.instance.lastAuthenticationEntry();
        Assert.assertFalse(lastAuthenticationEntry.principal().isPresent());
        Assert.assertEquals(AuditEventStatus.UNAUTHENTICATED, lastAuthenticationEntry.status());
        Assert.assertTrue(lastAuthenticationEntry.getScope().toString().contains("kafka-cluster=lkc-abc"));
        TestCase.assertTrue(lastAuthenticationEntry.authenticationException().isPresent());
        AuthenticationErrorInfo errorInfo = ((AuthenticationException) lastAuthenticationEntry.authenticationException().get()).errorInfo();
        Assert.assertTrue(errorInfo.errorMessage().contains("Bad password for user APIKEY1"));
        Assert.assertEquals("APIKEY1", errorInfo.identifier());
        Assert.assertEquals("lkc-abc", errorInfo.clusterId());
    }

    @Test
    public void testUnknownUser() throws InterruptedException {
        TestUtils.assertFutureError(this.testHarness.createPlainAuthAdminClient(IntegrationTestHarness.clientPlainJaasConfig("UnknownUser", "WrongPassword")).createTopics(this.sampleTopics).all(), SaslAuthenticationException.class);
        ConfluentAuthenticationEvent lastAuthenticationEntry = MockAuditLogProvider.instance.lastAuthenticationEntry();
        Assert.assertFalse(lastAuthenticationEntry.principal().isPresent());
        Assert.assertEquals(AuditEventStatus.UNKNOWN_USER_DENIED, lastAuthenticationEntry.status());
        TestCase.assertTrue(lastAuthenticationEntry.authenticationException().isPresent());
        AuthenticationErrorInfo errorInfo = ((AuthenticationException) lastAuthenticationEntry.authenticationException().get()).errorInfo();
        Assert.assertTrue(errorInfo.errorMessage().contains("Unknown user UnknownUser"));
        Assert.assertEquals("UnknownUser", errorInfo.identifier());
    }
}
