package org.apache.pulsar.broker.authorization;

import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.util.Collections;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.function.Function;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
import org.apache.pulsar.broker.authentication.AuthenticationDataSubscription;
import org.apache.pulsar.broker.authentication.utils.AuthTokenUtils;
import org.apache.pulsar.broker.resources.PulsarResources;
import org.mockito.Mockito;
import org.testng.Assert;
import org.testng.annotations.Test;

/* loaded from: input_file:org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProviderTest.class */
public class MultiRolesTokenAuthorizationProviderTest {
    @Test
    public void testMultiRolesAuthz() throws Exception {
        String str = "user-b";
        final String compact = Jwts.builder().claim("sub", new String[]{"user-a", "user-b"}).signWith(AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256)).compact();
        MultiRolesTokenAuthorizationProvider multiRolesTokenAuthorizationProvider = new MultiRolesTokenAuthorizationProvider();
        multiRolesTokenAuthorizationProvider.initialize(new ServiceConfiguration(), (PulsarResources) Mockito.mock(PulsarResources.class));
        AuthenticationDataSource authenticationDataSource = new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProviderTest.1
            public boolean hasDataFromHttp() {
                return true;
            }

            public String getHttpHeader(String str2) {
                if (str2.equals("Authorization")) {
                    return "Bearer " + compact;
                }
                throw new IllegalArgumentException("Wrong HTTP header");
            }
        };
        Assert.assertTrue(((Boolean) multiRolesTokenAuthorizationProvider.authorize("test", authenticationDataSource, str2 -> {
            return str2.equals(str) ? CompletableFuture.completedFuture(true) : CompletableFuture.completedFuture(false);
        }).get()).booleanValue());
        Assert.assertTrue(((Boolean) multiRolesTokenAuthorizationProvider.authorize("test", authenticationDataSource, str3 -> {
            return CompletableFuture.completedFuture(true);
        }).get()).booleanValue());
        Assert.assertFalse(((Boolean) multiRolesTokenAuthorizationProvider.authorize("test", authenticationDataSource, str4 -> {
            return CompletableFuture.completedFuture(false);
        }).get()).booleanValue());
    }

    @Test
    public void testMultiRolesAuthzWithEmptyRoles() throws Exception {
        final String compact = Jwts.builder().claim("sub", new String[0]).signWith(AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256)).compact();
        MultiRolesTokenAuthorizationProvider multiRolesTokenAuthorizationProvider = new MultiRolesTokenAuthorizationProvider();
        multiRolesTokenAuthorizationProvider.initialize(new ServiceConfiguration(), (PulsarResources) Mockito.mock(PulsarResources.class));
        Assert.assertFalse(((Boolean) multiRolesTokenAuthorizationProvider.authorize("test", new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProviderTest.2
            public boolean hasDataFromHttp() {
                return true;
            }

            public String getHttpHeader(String str) {
                if (str.equals("Authorization")) {
                    return "Bearer " + compact;
                }
                throw new IllegalArgumentException("Wrong HTTP header");
            }
        }, str -> {
            return CompletableFuture.completedFuture(false);
        }).get()).booleanValue());
    }

    @Test
    public void testMultiRolesAuthzWithSingleRole() throws Exception {
        String str = "test-role";
        final String compact = Jwts.builder().claim("sub", "test-role").signWith(AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256)).compact();
        MultiRolesTokenAuthorizationProvider multiRolesTokenAuthorizationProvider = new MultiRolesTokenAuthorizationProvider();
        multiRolesTokenAuthorizationProvider.initialize(new ServiceConfiguration(), (PulsarResources) Mockito.mock(PulsarResources.class));
        Assert.assertTrue(((Boolean) multiRolesTokenAuthorizationProvider.authorize("test", new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProviderTest.3
            public boolean hasDataFromHttp() {
                return true;
            }

            public String getHttpHeader(String str2) {
                if (str2.equals("Authorization")) {
                    return "Bearer " + compact;
                }
                throw new IllegalArgumentException("Wrong HTTP header");
            }
        }, str2 -> {
            return str2.equals(str) ? CompletableFuture.completedFuture(true) : CompletableFuture.completedFuture(false);
        }).get()).booleanValue());
    }

    @Test
    public void testMultiRolesAuthzWithoutClaim() throws Exception {
        final String compact = Jwts.builder().claim("whatever", "test-role").signWith(AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256)).compact();
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        MultiRolesTokenAuthorizationProvider multiRolesTokenAuthorizationProvider = new MultiRolesTokenAuthorizationProvider();
        multiRolesTokenAuthorizationProvider.initialize(serviceConfiguration, (PulsarResources) Mockito.mock(PulsarResources.class));
        Assert.assertFalse(((Boolean) multiRolesTokenAuthorizationProvider.authorize("test", new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProviderTest.4
            public boolean hasDataFromHttp() {
                return true;
            }

            public String getHttpHeader(String str) {
                if (str.equals("Authorization")) {
                    return "Bearer " + compact;
                }
                throw new IllegalArgumentException("Wrong HTTP header");
            }
        }, str -> {
            if (str == null) {
                throw new IllegalStateException("We should avoid pass null to sub providers");
            }
            return CompletableFuture.completedFuture(Boolean.valueOf(str.equals("test-role")));
        }).get()).booleanValue());
    }

    @Test
    public void testMultiRolesAuthzWithAnonymousUser() throws Exception {
        MultiRolesTokenAuthorizationProvider multiRolesTokenAuthorizationProvider = new MultiRolesTokenAuthorizationProvider();
        try {
            multiRolesTokenAuthorizationProvider.initialize(new ServiceConfiguration(), (PulsarResources) Mockito.mock(PulsarResources.class));
            Function function = str -> {
                return str.equals("test-role") ? CompletableFuture.completedFuture(true) : CompletableFuture.completedFuture(false);
            };
            Assert.assertTrue(((Boolean) multiRolesTokenAuthorizationProvider.authorize("test-role", (AuthenticationDataSource) null, function).get()).booleanValue());
            Assert.assertFalse(((Boolean) multiRolesTokenAuthorizationProvider.authorize("test-role-x", (AuthenticationDataSource) null, function).get()).booleanValue());
            Assert.assertTrue(((Boolean) multiRolesTokenAuthorizationProvider.authorize("test-role", new AuthenticationDataSubscription((AuthenticationDataSource) null, "test-sub"), function).get()).booleanValue());
            if (Collections.singletonList(multiRolesTokenAuthorizationProvider).get(0) != null) {
                multiRolesTokenAuthorizationProvider.close();
            }
        } catch (Throwable th) {
            if (Collections.singletonList(multiRolesTokenAuthorizationProvider).get(0) != null) {
                multiRolesTokenAuthorizationProvider.close();
            }
            throw th;
        }
    }

    @Test
    public void testMultiRolesNotFailNonJWT() throws Exception {
        final String str = "a-non-jwt-token";
        MultiRolesTokenAuthorizationProvider multiRolesTokenAuthorizationProvider = new MultiRolesTokenAuthorizationProvider();
        multiRolesTokenAuthorizationProvider.initialize(new ServiceConfiguration(), (PulsarResources) Mockito.mock(PulsarResources.class));
        Assert.assertFalse(((Boolean) multiRolesTokenAuthorizationProvider.authorize("test", new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProviderTest.5
            public boolean hasDataFromHttp() {
                return true;
            }

            public String getHttpHeader(String str2) {
                if (str2.equals("Authorization")) {
                    return "Bearer " + str;
                }
                throw new IllegalArgumentException("Wrong HTTP header");
            }
        }, str2 -> {
            return CompletableFuture.completedFuture(false);
        }).get()).booleanValue());
    }

    @Test
    public void testMultiRolesAuthzWithCustomRolesClaims() throws Exception {
        String str = "test-role";
        final String compact = Jwts.builder().claim("role", new String[]{"test-role"}).signWith(AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256)).compact();
        Properties properties = new Properties();
        properties.setProperty("tokenSettingPrefix", "prefix_");
        properties.setProperty("prefix_tokenAuthClaim", "role");
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setProperties(properties);
        MultiRolesTokenAuthorizationProvider multiRolesTokenAuthorizationProvider = new MultiRolesTokenAuthorizationProvider();
        multiRolesTokenAuthorizationProvider.initialize(serviceConfiguration, (PulsarResources) Mockito.mock(PulsarResources.class));
        Assert.assertTrue(((Boolean) multiRolesTokenAuthorizationProvider.authorize("test", new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProviderTest.6
            public boolean hasDataFromHttp() {
                return true;
            }

            public String getHttpHeader(String str2) {
                if (str2.equals("Authorization")) {
                    return "Bearer " + compact;
                }
                throw new IllegalArgumentException("Wrong HTTP header");
            }
        }, str2 -> {
            return str2.equals(str) ? CompletableFuture.completedFuture(true) : CompletableFuture.completedFuture(false);
        }).get()).booleanValue());
    }

    @Test
    public void testMultiRolesAuthzWithSuperUser() throws Exception {
        final String compact = Jwts.builder().claim("sub", "admin").signWith(AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256)).compact();
        ServiceConfiguration serviceConfiguration = new ServiceConfiguration();
        serviceConfiguration.setSuperUserRoles(Set.of("admin"));
        MultiRolesTokenAuthorizationProvider multiRolesTokenAuthorizationProvider = new MultiRolesTokenAuthorizationProvider();
        multiRolesTokenAuthorizationProvider.initialize(serviceConfiguration, (PulsarResources) Mockito.mock(PulsarResources.class));
        AuthenticationDataSource authenticationDataSource = new AuthenticationDataSource() { // from class: org.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProviderTest.7
            public boolean hasDataFromHttp() {
                return true;
            }

            public String getHttpHeader(String str) {
                if (str.equals("Authorization")) {
                    return "Bearer " + compact;
                }
                throw new IllegalArgumentException("Wrong HTTP header");
            }
        };
        Assert.assertTrue(((Boolean) multiRolesTokenAuthorizationProvider.isSuperUser("admin", authenticationDataSource, serviceConfiguration).get()).booleanValue());
        Function function = str -> {
            return str.equals("admin1") ? CompletableFuture.completedFuture(true) : CompletableFuture.completedFuture(false);
        };
        Assert.assertTrue(((Boolean) multiRolesTokenAuthorizationProvider.authorize("admin", authenticationDataSource, str2 -> {
            return CompletableFuture.completedFuture(false);
        }).get()).booleanValue());
        Assert.assertTrue(((Boolean) multiRolesTokenAuthorizationProvider.authorize("admin1", (AuthenticationDataSource) null, function).get()).booleanValue());
        Assert.assertFalse(((Boolean) multiRolesTokenAuthorizationProvider.authorize("admin2", (AuthenticationDataSource) null, function).get()).booleanValue());
    }
}
