package org.apache.pulsar.broker.auth;

import com.google.common.collect.Sets;
import java.util.EnumSet;
import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
import org.apache.pulsar.broker.authorization.AuthorizationService;
import org.apache.pulsar.client.admin.PulsarAdminBuilder;
import org.apache.pulsar.common.naming.TopicName;
import org.apache.pulsar.common.policies.data.AuthAction;
import org.apache.pulsar.common.policies.data.ClusterData;
import org.apache.pulsar.common.policies.data.SubscriptionAuthMode;
import org.apache.pulsar.common.policies.data.TenantInfoImpl;
import org.testng.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

@Test(groups = {"flaky"})
/* loaded from: input_file:org/apache/pulsar/broker/auth/AuthorizationTest.class */
public class AuthorizationTest extends MockedPulsarServiceBaseTest {
    @Override // org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest
    @BeforeClass
    public void setup() throws Exception {
        this.conf.setClusterName("c1");
        this.conf.setAuthenticationEnabled(true);
        this.conf.setAuthenticationProviders(Sets.newHashSet(new String[]{"org.apache.pulsar.broker.auth.MockAuthenticationProvider"}));
        this.conf.setAuthorizationEnabled(true);
        this.conf.setAuthorizationAllowWildcardsMatching(true);
        this.conf.setSuperUserRoles(Sets.newHashSet(new String[]{"pulsar.super_user", "pass.pass"}));
        internalSetup();
    }

    @Override // org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest
    protected void customizeNewPulsarAdminBuilder(PulsarAdminBuilder pulsarAdminBuilder) {
        pulsarAdminBuilder.authentication(new MockAuthentication("pass.pass"));
    }

    @Override // org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest
    @AfterClass(alwaysRun = true)
    public void cleanup() throws Exception {
        internalCleanup();
    }

    @Test
    public void simple() throws Exception {
        AuthorizationService authorizationService = this.pulsar.getBrokerService().getAuthorizationService();
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", (AuthenticationDataSource) null));
        this.admin.clusters().createCluster("c1", ClusterData.builder().build());
        this.admin.tenants().createTenant("p1", new TenantInfoImpl(Sets.newHashSet(new String[]{"role1"}), Sets.newHashSet(new String[]{"c1"})));
        waitForChange();
        this.admin.namespaces().createNamespace("p1/c1/ns1");
        waitForChange();
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", (AuthenticationDataSource) null));
        this.admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "my-role", EnumSet.of(AuthAction.produce));
        waitForChange();
        Assert.assertTrue(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", (AuthenticationDataSource) null));
        Assert.assertTrue(authorizationService.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", (AuthenticationDataSource) null));
        this.admin.topics().grantPermission("persistent://p1/c1/ns1/ds2", "other-role", EnumSet.of(AuthAction.consume));
        waitForChange();
        Assert.assertTrue(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "other-role", (AuthenticationDataSource) null));
        Assert.assertTrue(authorizationService.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canProduce(TopicName.get("persistent://p1/c1/ns1/ds2"), "other-role", (AuthenticationDataSource) null));
        Assert.assertTrue(authorizationService.canConsume(TopicName.get("persistent://p1/c1/ns1/ds2"), "other-role", (AuthenticationDataSource) null, (String) null));
        Assert.assertFalse(authorizationService.canConsume(TopicName.get("persistent://p1/c1/ns1/ds2"), "no-access-role", (AuthenticationDataSource) null, (String) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "no-access-role", (AuthenticationDataSource) null));
        this.admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "my-role", EnumSet.allOf(AuthAction.class));
        waitForChange();
        Assert.assertTrue(authorizationService.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", (AuthenticationDataSource) null));
        Assert.assertTrue(authorizationService.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "my-role", (AuthenticationDataSource) null, (String) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.2", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", (AuthenticationDataSource) null, (String) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.1", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.2", (AuthenticationDataSource) null));
        this.admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "my.role.*", EnumSet.of(AuthAction.produce));
        waitForChange();
        Assert.assertTrue(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", (AuthenticationDataSource) null));
        Assert.assertTrue(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.2", (AuthenticationDataSource) null));
        Assert.assertTrue(authorizationService.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", (AuthenticationDataSource) null, (String) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.1", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.2", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.my", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", (AuthenticationDataSource) null, (String) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", (AuthenticationDataSource) null));
        this.admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "*.role.my", EnumSet.of(AuthAction.consume));
        waitForChange();
        Assert.assertTrue(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", (AuthenticationDataSource) null));
        Assert.assertTrue(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.my", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", (AuthenticationDataSource) null));
        Assert.assertTrue(authorizationService.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", (AuthenticationDataSource) null, (String) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", (AuthenticationDataSource) null));
        this.admin.namespaces().revokePermissionsOnNamespace("p1/c1/ns1", "my.role.*");
        this.admin.namespaces().revokePermissionsOnNamespace("p1/c1/ns1", "*.role.my");
        waitForChange();
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.2", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", (AuthenticationDataSource) null, (String) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.1", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.2", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "my.role.1", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "my.role.2", (AuthenticationDataSource) null));
        this.admin.topics().grantPermission("persistent://p1/c1/ns1/ds1", "my.*", EnumSet.of(AuthAction.produce));
        waitForChange();
        Assert.assertTrue(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", (AuthenticationDataSource) null));
        Assert.assertTrue(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.2", (AuthenticationDataSource) null));
        Assert.assertTrue(authorizationService.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "my.role.1", (AuthenticationDataSource) null, (String) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.1", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "other.role.2", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "my.role.1", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "my.role.2", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.my", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", (AuthenticationDataSource) null, (String) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "1.role.my", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "2.role.my", (AuthenticationDataSource) null));
        this.admin.topics().grantPermission("persistent://p1/c1/ns1/ds1", "*.my", EnumSet.of(AuthAction.consume));
        waitForChange();
        Assert.assertTrue(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", (AuthenticationDataSource) null));
        Assert.assertTrue(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.my", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canProduce(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", (AuthenticationDataSource) null));
        Assert.assertTrue(authorizationService.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "1.role.my", (AuthenticationDataSource) null, (String) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "2.role.other", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "1.role.my", (AuthenticationDataSource) null));
        Assert.assertFalse(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds2"), "2.role.my", (AuthenticationDataSource) null));
        this.admin.topics().revokePermissions("persistent://p1/c1/ns1/ds1", "my.*");
        this.admin.topics().revokePermissions("persistent://p1/c1/ns1/ds1", "*.my");
        this.admin.namespaces().grantPermissionOnNamespace("p1/c1/ns1", "*", EnumSet.of(AuthAction.consume));
        this.admin.namespaces().setSubscriptionAuthMode("p1/c1/ns1", SubscriptionAuthMode.Prefix);
        waitForChange();
        Assert.assertTrue(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "role1", (AuthenticationDataSource) null));
        Assert.assertTrue(authorizationService.canLookup(TopicName.get("persistent://p1/c1/ns1/ds1"), "role2", (AuthenticationDataSource) null));
        try {
            Assert.assertFalse(authorizationService.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "role1", (AuthenticationDataSource) null, "sub1"));
            Assert.fail();
        } catch (Exception e) {
        }
        try {
            Assert.assertFalse(authorizationService.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "role2", (AuthenticationDataSource) null, "sub2"));
            Assert.fail();
        } catch (Exception e2) {
        }
        Assert.assertTrue(authorizationService.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "role1", (AuthenticationDataSource) null, "role1-sub1"));
        Assert.assertTrue(authorizationService.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "role2", (AuthenticationDataSource) null, "role2-sub2"));
        Assert.assertTrue(authorizationService.canConsume(TopicName.get("persistent://p1/c1/ns1/ds1"), "pulsar.super_user", (AuthenticationDataSource) null, "role3-sub1"));
        this.admin.namespaces().deleteNamespace("p1/c1/ns1");
        this.admin.tenants().deleteTenant("p1");
        this.admin.clusters().deleteCluster("c1");
    }

    private static void waitForChange() {
        try {
            Thread.sleep(100L);
        } catch (InterruptedException e) {
        }
    }
}
