package pl.edu.icm.unity.engine.project;

import java.util.Arrays;
import java.util.Date;
import java.util.List;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.ArgumentMatchers;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.junit.jupiter.MockitoExtension;
import pl.edu.icm.unity.base.attribute.Attribute;
import pl.edu.icm.unity.base.attribute.AttributeExt;
import pl.edu.icm.unity.base.authn.AuthenticationRealm;
import pl.edu.icm.unity.base.group.Group;
import pl.edu.icm.unity.base.group.GroupDelegationConfiguration;
import pl.edu.icm.unity.base.identity.IdentityTaV;
import pl.edu.icm.unity.engine.api.authn.AuthorizationException;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.authn.LoginSession;
import pl.edu.icm.unity.engine.api.project.GroupAuthorizationRole;
import pl.edu.icm.unity.store.api.AttributeDAO;
import pl.edu.icm.unity.store.api.GroupDAO;
import pl.edu.icm.unity.store.types.StoredAttribute;

@ExtendWith({MockitoExtension.class})
/* loaded from: input_file:pl/edu/icm/unity/engine/project/TestProjectAuthorizationManager.class */
public class TestProjectAuthorizationManager {

    @Mock
    GroupDAO mockGroupDao;

    @Mock
    AttributeDAO mockAttrDao;

    @Test
    public void shouldThrowAuthzExceptionWhenDelegationIsNotEnabled() {
        setupInvocationContext();
        ProjectAuthorizationManager projectAuthorizationManager = new ProjectAuthorizationManager(this.mockGroupDao, this.mockAttrDao);
        addGroup("/project", false);
        assertAuthzException(Assertions.catchThrowable(() -> {
            projectAuthorizationManager.assertManagerAuthorization("/project");
        }));
    }

    @Test
    public void shouldThrowAuthzExceptionWhenRegularUser() {
        assertAuthzException(checkAuthz(true, GroupAuthorizationRole.regular));
    }

    @Test
    public void shouldAcceptAuthzWhenManagerInEnabledGroupCall() throws AuthorizationException {
        Assertions.assertThat(checkAuthz(true, GroupAuthorizationRole.manager)).isNull();
    }

    @Test
    public void shouldAcceptAuthzWhenProjectsAdminSetManagerInSubgroup() throws AuthorizationException {
        setupInvocationContext();
        ProjectAuthorizationManager projectAuthorizationManager = new ProjectAuthorizationManager(this.mockGroupDao, this.mockAttrDao);
        addGroup("/project", true);
        addGroup("/project/sub", true);
        Mockito.when(this.mockAttrDao.getAttributes(ArgumentMatchers.anyString(), (Long) ArgumentMatchers.any(), (String) ArgumentMatchers.eq("/project"))).thenReturn(Arrays.asList(new StoredAttribute(new AttributeExt(new Attribute((String) null, (String) null, (String) null, Arrays.asList(GroupAuthorizationRole.projectsAdmin.toString())), false), 1L)));
        Assertions.assertThat(Assertions.catchThrowable(() -> {
            projectAuthorizationManager.assertRoleManagerAuthorization("/project", "/project/sub", GroupAuthorizationRole.manager);
        })).isNull();
    }

    @Test
    public void shouldAcceptAuthzWhenManagerSetManagerInDirectSubgroup() throws AuthorizationException {
        setupInvocationContext();
        ProjectAuthorizationManager projectAuthorizationManager = new ProjectAuthorizationManager(this.mockGroupDao, this.mockAttrDao);
        addGroup("/project", true);
        addGroup("/project/sub", true);
        Mockito.when(this.mockAttrDao.getAttributes(ArgumentMatchers.anyString(), (Long) ArgumentMatchers.any(), (String) ArgumentMatchers.eq("/project"))).thenReturn(Arrays.asList(new StoredAttribute(new AttributeExt(new Attribute((String) null, (String) null, (String) null, Arrays.asList(GroupAuthorizationRole.manager.toString())), false), 1L)));
        assertAuthzException(Assertions.catchThrowable(() -> {
            projectAuthorizationManager.assertRoleManagerAuthorization("/project", "/project/sub", GroupAuthorizationRole.manager);
        }));
    }

    @Test
    public void shouldThrowAuthzExceptionWhenManagerSetsProjectsAdminInSubgroup() throws AuthorizationException {
        setupInvocationContext();
        ProjectAuthorizationManager projectAuthorizationManager = new ProjectAuthorizationManager(this.mockGroupDao, this.mockAttrDao);
        addGroup("/project", true);
        addGroup("/project/sub", true);
        Mockito.when(this.mockAttrDao.getAttributes(ArgumentMatchers.anyString(), (Long) ArgumentMatchers.any(), (String) ArgumentMatchers.eq("/project"))).thenReturn(Arrays.asList(new StoredAttribute(new AttributeExt(new Attribute((String) null, (String) null, (String) null, Arrays.asList(GroupAuthorizationRole.manager.toString())), false), 1L)));
        assertAuthzException(Assertions.catchThrowable(() -> {
            projectAuthorizationManager.assertRoleManagerAuthorization("/project", "/project/sub", GroupAuthorizationRole.projectsAdmin);
        }));
    }

    @Test
    public void shouldThrowAuthzExceptionWhenManagerSetManagerInFutherSubgroup() throws AuthorizationException {
        setupInvocationContext();
        ProjectAuthorizationManager projectAuthorizationManager = new ProjectAuthorizationManager(this.mockGroupDao, this.mockAttrDao);
        addGroup("/project", true);
        addGroup("/project/sub/sub2", true);
        Mockito.when(this.mockAttrDao.getAttributes(ArgumentMatchers.anyString(), (Long) ArgumentMatchers.any(), (String) ArgumentMatchers.eq("/project"))).thenReturn(Arrays.asList(new StoredAttribute(new AttributeExt(new Attribute((String) null, (String) null, (String) null, Arrays.asList(GroupAuthorizationRole.manager.toString())), false), 1L)));
        assertAuthzException(Assertions.catchThrowable(() -> {
            projectAuthorizationManager.assertRoleManagerAuthorization("/project", "/project/sub/sub2", GroupAuthorizationRole.manager);
        }));
    }

    @Test
    public void shouldThrowAuthzExceptionWhenRegularSetManagerInSubgroup() throws AuthorizationException {
        setupInvocationContext();
        ProjectAuthorizationManager projectAuthorizationManager = new ProjectAuthorizationManager(this.mockGroupDao, this.mockAttrDao);
        addGroup("/project", true);
        addGroup("/project/sub", true);
        Mockito.when(this.mockAttrDao.getAttributes(ArgumentMatchers.anyString(), (Long) ArgumentMatchers.any(), (String) ArgumentMatchers.eq("/project"))).thenReturn(Arrays.asList(new StoredAttribute(new AttributeExt(new Attribute((String) null, (String) null, (String) null, Arrays.asList(GroupAuthorizationRole.regular.toString())), false), 1L)));
        assertAuthzException(Assertions.catchThrowable(() -> {
            projectAuthorizationManager.assertRoleManagerAuthorization("/project", "/project/sub", GroupAuthorizationRole.manager);
        }));
    }

    @Test
    public void shouldBlockCreationWhenDisabledSubprojectInConfig() throws AuthorizationException {
        setupInvocationContext();
        ProjectAuthorizationManager projectAuthorizationManager = new ProjectAuthorizationManager(this.mockGroupDao, this.mockAttrDao);
        addGroup("/project", true);
        assertAuthzException(Assertions.catchThrowable(() -> {
            projectAuthorizationManager.assertProjectsAdminAuthorization("/project", "/project/sub");
        }));
    }

    @Test
    public void shouldBlockCreationWhenNotProjectsAdmin() throws AuthorizationException {
        setupInvocationContext();
        ProjectAuthorizationManager projectAuthorizationManager = new ProjectAuthorizationManager(this.mockGroupDao, this.mockAttrDao);
        addGroup("/project", true, true);
        Mockito.when(this.mockAttrDao.getAttributes(ArgumentMatchers.anyString(), (Long) ArgumentMatchers.any(), (String) ArgumentMatchers.eq("/project"))).thenReturn(Arrays.asList(new StoredAttribute(new AttributeExt(new Attribute((String) null, (String) null, (String) null, Arrays.asList(GroupAuthorizationRole.manager.toString())), false), 1L)));
        assertAuthzException(Assertions.catchThrowable(() -> {
            projectAuthorizationManager.assertProjectsAdminAuthorization("/project", "/project/sub");
        }));
    }

    private void assertAuthzException(Throwable th) {
        Assertions.assertThat(th).isNotNull().isInstanceOf(AuthorizationException.class);
    }

    private void addGroup(String str, boolean z) {
        addGroup(str, z, false);
    }

    private void addGroup(String str, boolean z, boolean z2) {
        Group group = new Group(str);
        group.setDelegationConfiguration(new GroupDelegationConfiguration(z, Boolean.valueOf(z2), (String) null, (String) null, (String) null, (String) null, List.of(), List.of()));
        Mockito.when(this.mockGroupDao.get((String) ArgumentMatchers.eq(str))).thenReturn(group);
    }

    private void setupInvocationContext() {
        InvocationContext invocationContext = new InvocationContext((IdentityTaV) null, (AuthenticationRealm) null, (List) null);
        invocationContext.setLoginSession(new LoginSession("1", (Date) null, (Date) null, 100L, 1L, (String) null, (LoginSession.RememberMeInfo) null, (LoginSession.AuthNInfo) null, (LoginSession.AuthNInfo) null));
        InvocationContext.setCurrent(invocationContext);
    }

    private Throwable checkAuthz(boolean z, GroupAuthorizationRole groupAuthorizationRole) {
        setupInvocationContext();
        ProjectAuthorizationManager projectAuthorizationManager = new ProjectAuthorizationManager(this.mockGroupDao, this.mockAttrDao);
        addGroup("/project", z);
        Mockito.when(this.mockAttrDao.getAttributes(ArgumentMatchers.anyString(), (Long) ArgumentMatchers.any(), (String) ArgumentMatchers.eq("/project"))).thenReturn(Arrays.asList(new StoredAttribute(new AttributeExt(new Attribute((String) null, (String) null, (String) null, Arrays.asList(groupAuthorizationRole.toString())), false), 1L)));
        return Assertions.catchThrowable(() -> {
            projectAuthorizationManager.assertManagerAuthorization("/project");
        });
    }
}
