package io.camunda.zeebe.engine.processing.authorization;

import io.camunda.zeebe.engine.EngineConfiguration;
import io.camunda.zeebe.engine.processing.identity.AuthorizationCheckBehavior;
import io.camunda.zeebe.engine.state.immutable.ProcessingState;
import io.camunda.zeebe.engine.util.EngineRule;
import io.camunda.zeebe.engine.util.client.AuthorizationClient;
import io.camunda.zeebe.protocol.record.value.AuthorizationResourceType;
import io.camunda.zeebe.protocol.record.value.EntityType;
import io.camunda.zeebe.protocol.record.value.PermissionType;
import io.camunda.zeebe.stream.api.records.TypedRecord;
import io.camunda.zeebe.test.util.record.RecordingExporterTestWatcher;
import java.util.Map;
import java.util.UUID;
import org.assertj.core.api.Assertions;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TestWatcher;
import org.mockito.Mockito;

/* loaded from: input_file:io/camunda/zeebe/engine/processing/authorization/AuthorizationCheckBehaviorTest.class */
public class AuthorizationCheckBehaviorTest {

    @Rule
    public final EngineRule engine = EngineRule.singlePartition();

    @Rule
    public final TestWatcher recordingExporterTestWatcher = new RecordingExporterTestWatcher();
    private AuthorizationCheckBehavior authorizationCheckBehavior;

    @Before
    public void before() {
        ProcessingState processingState = this.engine.getProcessingState();
        this.authorizationCheckBehavior = new AuthorizationCheckBehavior(processingState.getAuthorizationState(), processingState.getUserState(), new EngineConfiguration().setEnableAuthorization(true));
    }

    @Test
    public void shouldBeAuthorizedWhenUserHasPermission() {
        long createUser = createUser();
        AuthorizationResourceType authorizationResourceType = AuthorizationResourceType.DEPLOYMENT;
        PermissionType permissionType = PermissionType.DELETE;
        String uuid = UUID.randomUUID().toString();
        addPermission(createUser, authorizationResourceType, permissionType, uuid);
        Assertions.assertThat(this.authorizationCheckBehavior.isAuthorized(new AuthorizationCheckBehavior.AuthorizationRequest(mockCommand(createUser), authorizationResourceType, permissionType).addResourceId(uuid))).isTrue();
    }

    @Test
    public void shouldNotBeAuthorizedWhenUserHasNoPermission() {
        long createUser = createUser();
        AuthorizationResourceType authorizationResourceType = AuthorizationResourceType.DEPLOYMENT;
        PermissionType permissionType = PermissionType.DELETE;
        Assertions.assertThat(this.authorizationCheckBehavior.isAuthorized(new AuthorizationCheckBehavior.AuthorizationRequest(mockCommand(createUser), authorizationResourceType, permissionType).addResourceId(UUID.randomUUID().toString()))).isFalse();
    }

    @Test
    public void shouldGetResourceIdentifiersWhenUserHasPermissions() {
        long createUser = createUser();
        AuthorizationResourceType authorizationResourceType = AuthorizationResourceType.DEPLOYMENT;
        PermissionType permissionType = PermissionType.DELETE;
        String uuid = UUID.randomUUID().toString();
        String uuid2 = UUID.randomUUID().toString();
        addPermission(createUser, authorizationResourceType, permissionType, uuid, uuid2);
        Assertions.assertThat(this.authorizationCheckBehavior.getAuthorizedResourceIdentifiers(new AuthorizationCheckBehavior.AuthorizationRequest(mockCommand(createUser), authorizationResourceType, permissionType))).containsExactlyInAnyOrder(new String[]{uuid, uuid2});
    }

    @Test
    public void shouldGetEmptySetWhenUserHasNoPermissions() {
        long createUser = createUser();
        Assertions.assertThat(this.authorizationCheckBehavior.getAuthorizedResourceIdentifiers(new AuthorizationCheckBehavior.AuthorizationRequest(mockCommand(createUser), AuthorizationResourceType.DEPLOYMENT, PermissionType.DELETE))).isEmpty();
    }

    @Test
    public void shouldBeAuthorizedWhenRoleHasPermissions() {
        long createUser = createUser();
        long createRole = createRole(createUser);
        AuthorizationResourceType authorizationResourceType = AuthorizationResourceType.DEPLOYMENT;
        PermissionType permissionType = PermissionType.DELETE;
        String uuid = UUID.randomUUID().toString();
        addPermission(createRole, authorizationResourceType, permissionType, uuid);
        Assertions.assertThat(this.authorizationCheckBehavior.isAuthorized(new AuthorizationCheckBehavior.AuthorizationRequest(mockCommand(createUser), authorizationResourceType, permissionType).addResourceId(uuid))).isTrue();
    }

    @Test
    public void shouldGetResourceIdentifiersWhenRoleHasPermissions() {
        long createUser = createUser();
        long createRole = createRole(createUser);
        AuthorizationResourceType authorizationResourceType = AuthorizationResourceType.DEPLOYMENT;
        PermissionType permissionType = PermissionType.DELETE;
        String uuid = UUID.randomUUID().toString();
        String uuid2 = UUID.randomUUID().toString();
        addPermission(createRole, authorizationResourceType, permissionType, uuid, uuid2);
        Assertions.assertThat(this.authorizationCheckBehavior.getAuthorizedResourceIdentifiers(new AuthorizationCheckBehavior.AuthorizationRequest(mockCommand(createUser), authorizationResourceType, permissionType))).containsExactlyInAnyOrder(new String[]{uuid, uuid2});
    }

    private long createUser() {
        return this.engine.user().newUser(UUID.randomUUID().toString()).withName(UUID.randomUUID().toString()).withEmail(UUID.randomUUID().toString()).withPassword(UUID.randomUUID().toString()).create().getKey();
    }

    private long createRole(long j) {
        long key = this.engine.role().newRole(UUID.randomUUID().toString()).create().getKey();
        this.engine.role().addEntity(key).withEntityKey(j).withEntityType(EntityType.USER).add();
        return key;
    }

    private void addPermission(long j, AuthorizationResourceType authorizationResourceType, PermissionType permissionType, String... strArr) {
        AuthorizationClient.AuthorizationPermissionClient withResourceType = this.engine.authorization().permission().withOwnerKey(Long.valueOf(j)).withResourceType(authorizationResourceType);
        for (String str : strArr) {
            withResourceType.withPermission(permissionType, str);
        }
        withResourceType.add();
    }

    private TypedRecord<?> mockCommand(long j) {
        TypedRecord<?> typedRecord = (TypedRecord) Mockito.mock(TypedRecord.class);
        Mockito.when(typedRecord.getAuthorizations()).thenReturn(Map.of("authorized_user_key", Long.valueOf(j)));
        Mockito.when(Boolean.valueOf(typedRecord.hasRequestMetadata())).thenReturn(true);
        return typedRecord;
    }
}
