package io.quarkus.resteasy.reactive.server.test.security.authzpolicy;

import io.quarkus.security.test.utils.TestIdentityController;
import io.quarkus.security.test.utils.TestIdentityProvider;
import io.quarkus.test.QuarkusUnitTest;
import io.restassured.RestAssured;
import org.hamcrest.Matcher;
import org.hamcrest.Matchers;
import org.jboss.shrinkwrap.api.asset.StringAsset;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.RegisterExtension;

/* loaded from: input_file:io/quarkus/resteasy/reactive/server/test/security/authzpolicy/DenyAllUnannotatedWithAuthzPolicyTest.class */
public class DenyAllUnannotatedWithAuthzPolicyTest {

    @RegisterExtension
    static QuarkusUnitTest runner = new QuarkusUnitTest().withApplicationRoot(javaArchive -> {
        javaArchive.addClasses(new Class[]{ForbidViewerClassLevelPolicyResource.class, ForbidViewerMethodLevelPolicyResource.class, ForbidAllButViewerAuthorizationPolicy.class, TestIdentityProvider.class, TestIdentityController.class}).addAsResource(new StringAsset("quarkus.security.jaxrs.deny-unannotated-endpoints=true\n"), "application.properties");
    });

    @BeforeAll
    public static void setupUsers() {
        TestIdentityController.resetRoles().add("admin", "admin", new String[]{"admin", "viewer"}).add("user", "user").add("viewer", "viewer", new String[]{"viewer"});
    }

    @Test
    public void testEndpointWithoutAuthorizationPolicyIsDenied() {
        RestAssured.given().auth().preemptive().basic("admin", "admin").get("/forbid-viewer-method-level-policy/unsecured", new Object[0]).then().statusCode(403);
        RestAssured.given().auth().preemptive().basic("viewer", "viewer").get("/forbid-viewer-method-level-policy/unsecured", new Object[0]).then().statusCode(403);
    }

    @Test
    public void testEndpointWithAuthorizationPolicyIsNotDenied() {
        RestAssured.given().auth().preemptive().basic("admin", "admin").get("/forbid-viewer-method-level-policy", new Object[0]).then().statusCode(403);
        RestAssured.given().auth().preemptive().basic("viewer", "viewer").get("/forbid-viewer-method-level-policy", new Object[0]).then().statusCode(200).body(Matchers.equalTo("viewer"), new Matcher[0]);
    }
}
