package org.graylog.plugins.views.search.rest;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.function.Predicate;
import javax.annotation.Nullable;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.core.Response;
import org.apache.shiro.subject.Subject;
import org.assertj.core.api.Assertions;
import org.graylog.plugins.views.search.Query;
import org.graylog.plugins.views.search.Search;
import org.graylog.plugins.views.search.SearchJob;
import org.graylog.plugins.views.search.db.SearchDbService;
import org.graylog.plugins.views.search.db.SearchJobService;
import org.graylog.plugins.views.search.engine.BackendQuery;
import org.graylog.plugins.views.search.engine.QueryEngine;
import org.graylog2.plugin.database.users.User;
import org.graylog2.plugin.indexer.searches.timeranges.RelativeRange;
import org.graylog2.plugin.indexer.searches.timeranges.TimeRange;
import org.graylog2.plugin.streams.Stream;
import org.graylog2.shared.bindings.GuiceInjectorHolder;
import org.graylog2.shared.bindings.providers.ObjectMapperProvider;
import org.graylog2.streams.StreamService;
import org.hamcrest.Matchers;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.mockito.ArgumentCaptor;
import org.mockito.ArgumentMatchers;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.junit.MockitoJUnit;
import org.mockito.junit.MockitoRule;

/* loaded from: input_file:org/graylog/plugins/views/search/rest/SearchResourceStreamPermissionsTest.class */
public class SearchResourceStreamPermissionsTest {
    private static final ObjectMapperProvider objectMapperProvider = new ObjectMapperProvider();

    @Rule
    public MockitoRule rule = MockitoJUnit.rule();

    @Rule
    public ExpectedException thrown = ExpectedException.none();

    @Mock
    private QueryEngine queryEngine;

    @Mock
    private SearchDbService searchDbService;

    @Mock
    private SearchJobService searchJobService;

    @Mock
    private StreamService streamService;

    @Mock
    private Search search;

    @Mock
    private Subject subject;

    @Mock
    private Query query;
    private SearchResource searchResource;

    /* loaded from: input_file:org/graylog/plugins/views/search/rest/SearchResourceStreamPermissionsTest$SearchTestResource.class */
    static class SearchTestResource extends SearchResource {
        private final Subject subject;

        SearchTestResource(Subject subject, QueryEngine queryEngine, SearchDbService searchDbService, SearchJobService searchJobService, ObjectMapper objectMapper, StreamService streamService) {
            super(queryEngine, searchDbService, searchJobService, objectMapper, streamService, Collections.emptyMap());
            this.subject = subject;
        }

        protected Subject getSubject() {
            return this.subject;
        }

        @Nullable
        protected User getCurrentUser() {
            User user = (User) Mockito.mock(User.class);
            Mockito.when(user.getName()).thenReturn("admin");
            return user;
        }
    }

    @Before
    public void setUp() throws Exception {
        GuiceInjectorHolder.createInjector(Collections.emptyList());
        this.searchResource = new SearchTestResource(this.subject, this.queryEngine, this.searchDbService, this.searchJobService, objectMapperProvider.get(), this.streamService);
    }

    private List<Stream> allStreamsOfUser() {
        Stream stream = (Stream) Mockito.mock(Stream.class);
        Mockito.when(stream.getId()).thenReturn("stream1id");
        Mockito.when(Boolean.valueOf(this.subject.isPermitted("streams:read:stream1id"))).thenReturn(true);
        Stream stream2 = (Stream) Mockito.mock(Stream.class);
        Mockito.when(stream2.getId()).thenReturn("stream2id");
        Mockito.when(Boolean.valueOf(this.subject.isPermitted("streams:read:stream2id"))).thenReturn(true);
        Stream stream3 = (Stream) Mockito.mock(Stream.class);
        Mockito.when(stream3.getId()).thenReturn("stream3id");
        Mockito.when(Boolean.valueOf(this.subject.isPermitted("streams:read:stream3id"))).thenReturn(true);
        return ImmutableList.of(stream, stream2, stream3);
    }

    @Test
    public void executingSearchWithoutStreamsUsesAllStreamsOfUser() {
        Mockito.when(this.query.usedStreamIds()).thenReturn(ImmutableSet.of());
        Mockito.when(this.query.toBuilder()).thenReturn(Query.builder().id("someQuery").query(new BackendQuery.Fallback()).timerange((TimeRange) Mockito.mock(RelativeRange.class)));
        Mockito.when(this.query.id()).thenReturn("someQuery");
        Mockito.when(this.searchDbService.getForUser((String) ArgumentMatchers.eq("searchId"), (User) ArgumentMatchers.any(), (Predicate) ArgumentMatchers.any())).thenReturn(Optional.of(Search.Builder.create().id("searchId").queries(ImmutableSet.of(this.query)).build()));
        SearchJob searchJob = (SearchJob) Mockito.mock(SearchJob.class);
        Mockito.when(this.searchJobService.create((Search) ArgumentMatchers.any(Search.class), (String) ArgumentMatchers.any(String.class))).thenReturn(searchJob);
        Mockito.when(this.queryEngine.execute(searchJob)).thenReturn(searchJob);
        Mockito.when(searchJob.getId()).thenReturn("searchJobId");
        Mockito.when(this.streamService.loadAll()).thenReturn(allStreamsOfUser());
        Assertions.assertThat(this.searchResource.executeQuery("searchId", Collections.emptyMap()).getStatusInfo().getFamily()).isEqualTo(Response.Status.Family.SUCCESSFUL);
        ArgumentCaptor forClass = ArgumentCaptor.forClass(Search.class);
        ((SearchJobService) Mockito.verify(this.searchJobService, Mockito.times(1))).create((Search) forClass.capture(), (String) ArgumentMatchers.any());
        Optional query = ((Search) forClass.getValue()).getQuery("someQuery");
        Assertions.assertThat(query).isPresent();
        Assertions.assertThat(((Query) query.get()).usedStreamIds()).containsExactlyInAnyOrder(new String[]{"stream1id", "stream2id", "stream3id"});
    }

    @Test
    public void executingSearchWithoutAccessToAnyStreamsFails() {
        Mockito.when(this.query.usedStreamIds()).thenReturn(ImmutableSet.of());
        Mockito.when(this.query.toBuilder()).thenReturn(Query.builder().id("someQuery").query(new BackendQuery.Fallback()).timerange((TimeRange) Mockito.mock(RelativeRange.class)));
        Mockito.when(this.query.id()).thenReturn("someQuery");
        Mockito.when(this.searchDbService.getForUser((String) ArgumentMatchers.eq("searchId"), (User) ArgumentMatchers.any(), (Predicate) ArgumentMatchers.any())).thenReturn(Optional.of(Search.Builder.create().id("searchId").queries(ImmutableSet.of(this.query)).build()));
        Mockito.when(this.streamService.loadAll()).thenReturn(Collections.emptyList());
        this.thrown.expect(ForbiddenException.class);
        try {
            this.searchResource.executeQuery("searchId", Collections.emptyMap());
        } catch (ForbiddenException e) {
            ((SearchJobService) Mockito.verify(this.searchJobService, Mockito.never())).create((Search) ArgumentMatchers.any(), (String) ArgumentMatchers.any());
            ((QueryEngine) Mockito.verify(this.queryEngine, Mockito.never())).execute((SearchJob) ArgumentMatchers.any());
            throw e;
        }
    }

    @Test
    public void referencingNonpermittedStreamsFails() {
        Mockito.when(this.searchDbService.getForUser((String) ArgumentMatchers.eq("searchId"), (User) ArgumentMatchers.any(), (Predicate) ArgumentMatchers.any())).thenReturn(Optional.of(this.search));
        Mockito.when(this.search.queries()).thenReturn(ImmutableSet.of(this.query));
        Mockito.when(this.query.usedStreamIds()).thenReturn(ImmutableSet.of("allowedstream1", "allowedstream2", "disallowedstream"));
        Mockito.when(Boolean.valueOf(this.subject.isPermitted("streams:read:allowedstream1"))).thenReturn(true);
        Mockito.when(Boolean.valueOf(this.subject.isPermitted("streams:read:allowedstream2"))).thenReturn(true);
        Mockito.when(Boolean.valueOf(this.subject.isPermitted("streams:read:disallowedstream"))).thenReturn(false);
        this.thrown.expect(ForbiddenException.class);
        this.thrown.expectMessage(Matchers.describedAs("Disallowed stream id must not leak.", Matchers.not(Matchers.containsString("disallowedstream")), new Object[0]));
        this.searchResource.executeQuery("searchId", Collections.emptyMap());
    }

    @Test
    public void referencingPermittedStreamsSucceeds() {
        Mockito.when(this.searchDbService.getForUser((String) ArgumentMatchers.eq("searchId"), (User) ArgumentMatchers.any(), (Predicate) ArgumentMatchers.any())).thenReturn(Optional.of(this.search));
        Mockito.when(this.search.queries()).thenReturn(ImmutableSet.of(this.query));
        Mockito.when(this.search.applyExecutionState((ObjectMapper) ArgumentMatchers.any(), (Map) ArgumentMatchers.any())).thenReturn(this.search);
        Mockito.when(this.query.usedStreamIds()).thenReturn(ImmutableSet.of("allowedstream1", "allowedstream2", "allowedstream3"));
        Mockito.when(Boolean.valueOf(this.subject.isPermitted("streams:read:allowedstream1"))).thenReturn(true);
        Mockito.when(Boolean.valueOf(this.subject.isPermitted("streams:read:allowedstream2"))).thenReturn(true);
        Mockito.when(Boolean.valueOf(this.subject.isPermitted("streams:read:allowedstream3"))).thenReturn(true);
        SearchJob searchJob = (SearchJob) Mockito.mock(SearchJob.class);
        Mockito.when(this.searchJobService.create((Search) ArgumentMatchers.eq(this.search), (String) ArgumentMatchers.any(String.class))).thenReturn(searchJob);
        Mockito.when(this.queryEngine.execute(searchJob)).thenReturn(searchJob);
        Mockito.when(searchJob.getId()).thenReturn("searchJobId");
        Assertions.assertThat(this.searchResource.executeQuery("searchId", Collections.emptyMap()).getStatusInfo().getFamily()).isEqualTo(Response.Status.Family.SUCCESSFUL);
        ArgumentCaptor forClass = ArgumentCaptor.forClass(String.class);
        ((Subject) Mockito.verify(this.subject, Mockito.times(3))).isPermitted((String) forClass.capture());
        Assertions.assertThat(forClass.getAllValues()).containsExactlyInAnyOrder(new String[]{"streams:read:allowedstream1", "streams:read:allowedstream2", "streams:read:allowedstream3"});
    }
}
