package org.openmetadata.service.resources.permissions;

import java.io.IOException;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.stream.Collectors;
import javax.json.Json;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.Response;
import org.apache.http.client.HttpResponseException;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.TestInfo;
import org.openmetadata.schema.CreateEntity;
import org.openmetadata.schema.entity.data.Table;
import org.openmetadata.schema.entity.policies.Policy;
import org.openmetadata.schema.entity.policies.accessControl.Rule;
import org.openmetadata.schema.entity.teams.User;
import org.openmetadata.schema.type.MetadataOperation;
import org.openmetadata.schema.type.Permission;
import org.openmetadata.schema.type.ResourceDescriptor;
import org.openmetadata.schema.type.ResourcePermission;
import org.openmetadata.service.OpenMetadataApplicationTest;
import org.openmetadata.service.ResourceRegistry;
import org.openmetadata.service.exception.CatalogExceptionMessage;
import org.openmetadata.service.resources.EntityResourceTest;
import org.openmetadata.service.resources.databases.TableResourceTest;
import org.openmetadata.service.resources.permissions.PermissionsResource;
import org.openmetadata.service.resources.policies.PolicyResourceTest;
import org.openmetadata.service.security.SecurityUtil;
import org.openmetadata.service.security.policyevaluator.CompiledRule;
import org.openmetadata.service.security.policyevaluator.OperationContext;
import org.openmetadata.service.security.policyevaluator.PolicyEvaluator;
import org.openmetadata.service.util.JsonUtils;
import org.openmetadata.service.util.TestUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/openmetadata/service/resources/permissions/PermissionsResourceTest.class */
class PermissionsResourceTest extends OpenMetadataApplicationTest {
    private static Rule ORG_IS_OWNER_RULE;
    private static Rule ORG_NO_OWNER_RULE;
    private static final String DATA_STEWARD_ROLE_NAME = "DataSteward";
    private static Policy DATA_STEWARD_POLICY;
    private static final String DATA_STEWARD_POLICY_NAME = "DataStewardPolicy";
    private static List<Rule> DATA_STEWARD_RULES;
    private static final String DATA_CONSUMER_ROLE_NAME = "DataConsumer";
    private static Policy DATA_CONSUMER_POLICY;
    private static final String DATA_CONSUMER_POLICY_NAME = "DataConsumerPolicy";
    private static List<Rule> DATA_CONSUMER_RULES;
    private static final List<MetadataOperation> DATA_STEWARD_ALLOWED;
    private static final String DATA_STEWARD_USER_NAME = "user-data-steward";
    private static User DATA_STEWARD_USER;
    private static final String DATA_CONSUMER_USER_NAME = "user-data-consumer";
    private static User DATA_CONSUMER_USER;
    private static final Logger LOG = LoggerFactory.getLogger(PermissionsResourceTest.class);
    private static final List<MetadataOperation> ORG_IS_OWNER_RULE_OPERATIONS = OperationContext.getAllOperations(new MetadataOperation[0]);
    private static final List<MetadataOperation> ORG_NO_OWNER_RULE_OPERATIONS = List.of(MetadataOperation.EDIT_OWNERS);
    private static final List<MetadataOperation> DATA_CONSUMER_ALLOWED = OperationContext.getViewOperations(new MetadataOperation[0]);

    /* loaded from: input_file:org/openmetadata/service/resources/permissions/PermissionsResourceTest$ResourcePermissionsBuilder.class */
    public static class ResourcePermissionsBuilder {
        private final List<ResourcePermission> resourcePermissions = PolicyEvaluator.getResourcePermissions(Permission.Access.NOT_ALLOW);

        public void setPermission(List<MetadataOperation> list, Permission.Access access, String str, String str2, Rule rule) {
            this.resourcePermissions.forEach(resourcePermission -> {
                setPermission(resourcePermission, list, access, str, str2, rule);
            });
        }

        public ResourcePermission getPermission(String str) {
            return this.resourcePermissions.stream().filter(resourcePermission -> {
                return resourcePermission.getResource().equals(str);
            }).findAny().orElse(null);
        }

        private void setPermission(ResourcePermission resourcePermission, List<MetadataOperation> list, Permission.Access access, String str, String str2, Rule rule) {
            for (Permission permission : resourcePermission.getPermissions()) {
                if (list.contains(permission.getOperation()) && CompiledRule.overrideAccess(access, permission.getAccess())) {
                    permission.withAccess(access).withRole(str).withPolicy(str2).withRule(rule);
                }
            }
        }

        public List<ResourcePermission> getResourcePermissions() {
            return this.resourcePermissions;
        }
    }

    PermissionsResourceTest() {
    }

    @BeforeAll
    static void setup(TestInfo testInfo) throws IOException, URISyntaxException {
        new TableResourceTest().setup(testInfo);
        PolicyResourceTest policyResourceTest = new PolicyResourceTest();
        List rules = policyResourceTest.getEntityByName("OrganizationPolicy", null, "owners,location,teams,roles", TestUtils.ADMIN_AUTH_HEADERS).getRules();
        ORG_NO_OWNER_RULE = (Rule) rules.get(0);
        ORG_IS_OWNER_RULE = (Rule) rules.get(1);
        DATA_STEWARD_POLICY = policyResourceTest.getEntityByName(DATA_STEWARD_POLICY_NAME, null, "owners,location,teams,roles", TestUtils.ADMIN_AUTH_HEADERS);
        DATA_STEWARD_RULES = DATA_STEWARD_POLICY.getRules();
        DATA_STEWARD_USER = EntityResourceTest.DATA_STEWARD;
        DATA_CONSUMER_POLICY = policyResourceTest.getEntityByName(DATA_CONSUMER_POLICY_NAME, null, "owners,location,teams,roles", TestUtils.ADMIN_AUTH_HEADERS);
        DATA_CONSUMER_RULES = DATA_CONSUMER_POLICY.getRules();
        DATA_CONSUMER_USER = EntityResourceTest.DATA_CONSUMER;
    }

    @Test
    void get_anotherUserPermission_disallowed() {
        Map authHeaders = SecurityUtil.authHeaders("user-data-consumer@open-metadata.org");
        TestUtils.assertResponse(() -> {
            getPermissions(DATA_STEWARD_USER_NAME, authHeaders);
        }, Response.Status.FORBIDDEN, CatalogExceptionMessage.notAdmin(DATA_CONSUMER_USER_NAME));
    }

    @Test
    void get_admin_permissions_for_role() throws HttpResponseException {
        Assertions.assertEquals(PolicyEvaluator.trimResourcePermissions(PolicyEvaluator.getResourcePermissions(Permission.Access.ALLOW)), getPermissions(TestUtils.ADMIN_AUTH_HEADERS));
    }

    @Test
    void get_dataConsumer_permissions_for_role() throws HttpResponseException {
        Map<String, String> authHeaders = SecurityUtil.authHeaders("user-data-consumer@open-metadata.org");
        List<ResourcePermission> permissions = getPermissions(authHeaders);
        ResourcePermissionsBuilder resourcePermissionsBuilder = new ResourcePermissionsBuilder();
        resourcePermissionsBuilder.setPermission(DATA_CONSUMER_ALLOWED, Permission.Access.ALLOW, "DataConsumer", DATA_CONSUMER_POLICY_NAME, DATA_CONSUMER_RULES.get(0));
        resourcePermissionsBuilder.setPermission(ORG_NO_OWNER_RULE_OPERATIONS, Permission.Access.CONDITIONAL_ALLOW, null, "OrganizationPolicy", ORG_NO_OWNER_RULE);
        resourcePermissionsBuilder.setPermission(ORG_IS_OWNER_RULE_OPERATIONS, Permission.Access.CONDITIONAL_ALLOW, null, "OrganizationPolicy", ORG_IS_OWNER_RULE);
        assertResourcePermissions(PolicyEvaluator.trimResourcePermissions(resourcePermissionsBuilder.getResourcePermissions()), permissions);
        assertResourcePermissions(PolicyEvaluator.trimResourcePermissions(resourcePermissionsBuilder.getResourcePermissions()), getPermissions(DATA_CONSUMER_USER_NAME, TestUtils.ADMIN_AUTH_HEADERS));
        for (ResourceDescriptor resourceDescriptor : ResourceRegistry.listResourceDescriptors()) {
            assertResourcePermission(PolicyEvaluator.trimResourcePermission(resourcePermissionsBuilder.getPermission(resourceDescriptor.getName())), getPermission(resourceDescriptor.getName(), null, authHeaders));
        }
        for (ResourceDescriptor resourceDescriptor2 : ResourceRegistry.listResourceDescriptors()) {
            assertResourcePermission(PolicyEvaluator.trimResourcePermission(resourcePermissionsBuilder.getPermission(resourceDescriptor2.getName())), getPermission(resourceDescriptor2.getName(), DATA_CONSUMER_USER_NAME, authHeaders));
        }
    }

    @Test
    void get_dataSteward_permissions_for_role() throws HttpResponseException {
        Map<String, String> authHeaders = SecurityUtil.authHeaders("user-data-steward@open-metadata.org");
        ResourcePermissionsBuilder resourcePermissionsBuilder = new ResourcePermissionsBuilder();
        resourcePermissionsBuilder.setPermission(DATA_STEWARD_ALLOWED, Permission.Access.ALLOW, "DataSteward", DATA_STEWARD_POLICY_NAME, DATA_STEWARD_RULES.get(0));
        resourcePermissionsBuilder.setPermission(ORG_NO_OWNER_RULE_OPERATIONS, Permission.Access.CONDITIONAL_ALLOW, null, "OrganizationPolicy", ORG_NO_OWNER_RULE);
        resourcePermissionsBuilder.setPermission(ORG_IS_OWNER_RULE_OPERATIONS, Permission.Access.CONDITIONAL_ALLOW, null, "OrganizationPolicy", ORG_IS_OWNER_RULE);
        assertResourcePermissions(PolicyEvaluator.trimResourcePermissions(resourcePermissionsBuilder.getResourcePermissions()), getPermissions(authHeaders));
    }

    @Test
    void get_permissionsForPolicies() throws HttpResponseException {
        ArrayList arrayList = new ArrayList(List.of(DATA_CONSUMER_POLICY.getId()));
        List<ResourcePermission> permissionsForPolicies = getPermissionsForPolicies(arrayList, TestUtils.ADMIN_AUTH_HEADERS);
        ResourcePermissionsBuilder resourcePermissionsBuilder = new ResourcePermissionsBuilder();
        resourcePermissionsBuilder.setPermission(DATA_CONSUMER_ALLOWED, Permission.Access.ALLOW, null, DATA_CONSUMER_POLICY_NAME, DATA_CONSUMER_RULES.get(0));
        assertResourcePermissions(PolicyEvaluator.trimResourcePermissions(resourcePermissionsBuilder.getResourcePermissions()), permissionsForPolicies);
        arrayList.add(DATA_STEWARD_POLICY.getId());
        List<ResourcePermission> permissionsForPolicies2 = getPermissionsForPolicies(arrayList, TestUtils.ADMIN_AUTH_HEADERS);
        resourcePermissionsBuilder.setPermission(DATA_STEWARD_ALLOWED, Permission.Access.ALLOW, null, DATA_STEWARD_POLICY_NAME, DATA_STEWARD_RULES.get(0));
        assertResourcePermissions(PolicyEvaluator.trimResourcePermissions(resourcePermissionsBuilder.getResourcePermissions()), permissionsForPolicies2);
    }

    @Test
    void get_non_owner_permissions() throws HttpResponseException {
        TableResourceTest tableResourceTest = new TableResourceTest();
        Map<String, String> authHeaders = SecurityUtil.authHeaders("user-data-consumer@open-metadata.org");
        ResourcePermissionsBuilder resourcePermissionsBuilder = new ResourcePermissionsBuilder();
        resourcePermissionsBuilder.setPermission(DATA_CONSUMER_ALLOWED, Permission.Access.ALLOW, "DataConsumer", DATA_CONSUMER_POLICY_NAME, DATA_CONSUMER_RULES.get(0));
        assertResourcePermission(PolicyEvaluator.trimResourcePermission(resourcePermissionsBuilder.getPermission("table")), getPermission("table", tableResourceTest.createEntity((CreateEntity) tableResourceTest.mo39createRequest("permissionTest1").withOwners(List.of(DATA_STEWARD_USER.getEntityReference())), TestUtils.ADMIN_AUTH_HEADERS).getId(), null, authHeaders));
    }

    @Test
    void get_owner_permissions() throws HttpResponseException {
        TableResourceTest tableResourceTest = new TableResourceTest();
        Map<String, String> authHeaders = SecurityUtil.authHeaders("user-data-consumer@open-metadata.org");
        Table createEntity = tableResourceTest.createEntity((CreateEntity) tableResourceTest.mo39createRequest("permissionTest").withDescription("description").withDisplayName("display").withOwners(List.of(DATA_CONSUMER_USER.getEntityReference())), TestUtils.ADMIN_AUTH_HEADERS);
        ResourcePermissionsBuilder resourcePermissionsBuilder = new ResourcePermissionsBuilder();
        resourcePermissionsBuilder.setPermission(DATA_CONSUMER_ALLOWED, Permission.Access.ALLOW, "DataConsumer", DATA_CONSUMER_POLICY_NAME, DATA_CONSUMER_RULES.get(0));
        resourcePermissionsBuilder.setPermission(ORG_IS_OWNER_RULE_OPERATIONS, Permission.Access.ALLOW, null, "OrganizationPolicy", ORG_IS_OWNER_RULE);
        assertResourcePermission(PolicyEvaluator.trimResourcePermission(resourcePermissionsBuilder.getPermission("table")), getPermission("table", createEntity.getId(), null, authHeaders));
        assertResourcePermission(PolicyEvaluator.trimResourcePermission(resourcePermissionsBuilder.getPermission("table")), getPermissionByName("table", createEntity.getFullyQualifiedName(), null, authHeaders));
        assertResourcePermission(PolicyEvaluator.trimResourcePermission(resourcePermissionsBuilder.getPermission("table")), getPermission("table", createEntity.getId(), DATA_CONSUMER_USER_NAME, TestUtils.ADMIN_AUTH_HEADERS));
        PolicyResourceTest policyResourceTest = new PolicyResourceTest();
        Policy entityByName = policyResourceTest.getEntityByName("OrganizationPolicy", "", TestUtils.ADMIN_AUTH_HEADERS);
        List<MetadataOperation> operations = OperationContext.getOperations("table", "Edit", new MetadataOperation[]{MetadataOperation.EDIT_ALL, MetadataOperation.EDIT_DESCRIPTION, MetadataOperation.EDIT_TAGS});
        for (MetadataOperation metadataOperation : operations) {
            List<MetadataOperation> list = (List) operations.stream().filter(metadataOperation2 -> {
                return metadataOperation2 != metadataOperation;
            }).collect(Collectors.toList());
            LOG.info("Removing permission for {}", metadataOperation);
            String pojoToJson = JsonUtils.pojoToJson(entityByName);
            ((Rule) entityByName.getRules().get(1)).withOperations(list);
            entityByName = policyResourceTest.patchEntity(entityByName.getId(), pojoToJson, entityByName, TestUtils.ADMIN_AUTH_HEADERS);
            ResourcePermissionsBuilder resourcePermissionsBuilder2 = new ResourcePermissionsBuilder();
            resourcePermissionsBuilder2.setPermission(DATA_CONSUMER_ALLOWED, Permission.Access.ALLOW, "DataConsumer", DATA_CONSUMER_POLICY_NAME, DATA_CONSUMER_RULES.get(0));
            resourcePermissionsBuilder2.setPermission(list, Permission.Access.ALLOW, null, "OrganizationPolicy", (Rule) entityByName.getRules().get(1));
            assertResourcePermission(PolicyEvaluator.trimResourcePermission(resourcePermissionsBuilder2.getPermission("table")), getPermissionByName("table", createEntity.getFullyQualifiedName(), null, authHeaders));
            if (ResourceRegistry.getField(metadataOperation) != null) {
                Json.createPatchBuilder().remove("/" + ResourceRegistry.getField(metadataOperation)).build();
            } else {
                LOG.warn("Field for operation {} is null", metadataOperation);
            }
        }
    }

    private void assertResourcePermissions(List<ResourcePermission> list, List<ResourcePermission> list2) {
        Assertions.assertEquals(list.size(), list2.size());
        Comparator<? super ResourcePermission> comparing = Comparator.comparing((v0) -> {
            return v0.getResource();
        });
        list.sort(comparing);
        list2.sort(comparing);
        for (int i = 0; i < list.size(); i++) {
            assertResourcePermission(list.get(i), list2.get(i));
        }
    }

    private void assertResourcePermission(ResourcePermission resourcePermission, ResourcePermission resourcePermission2) {
        Assertions.assertEquals(resourcePermission.getPermissions().size(), resourcePermission2.getPermissions().size());
        Comparator comparing = Comparator.comparing((v0) -> {
            return v0.getOperation();
        });
        resourcePermission.getPermissions().sort(comparing);
        resourcePermission2.getPermissions().sort(comparing);
        for (int i = 0; i < resourcePermission.getPermissions().size(); i++) {
            Assertions.assertEquals(resourcePermission.getPermissions().get(i), resourcePermission2.getPermissions().get(i));
        }
    }

    public List<ResourcePermission> getPermissions(Map<String, String> map) throws HttpResponseException {
        return ((PermissionsResource.ResourcePermissionList) TestUtils.get(getResource("permissions"), PermissionsResource.ResourcePermissionList.class, map)).getData();
    }

    public List<ResourcePermission> getPermissions(String str, Map<String, String> map) throws HttpResponseException {
        WebTarget resource = getResource("permissions");
        return ((PermissionsResource.ResourcePermissionList) TestUtils.get(str != null ? resource.queryParam("user", new Object[]{str}) : resource, PermissionsResource.ResourcePermissionList.class, map)).getData();
    }

    public ResourcePermission getPermission(String str, String str2, Map<String, String> map) throws HttpResponseException {
        WebTarget resource = getResource("permissions/" + str);
        return (ResourcePermission) TestUtils.get(str2 != null ? resource.queryParam("user", new Object[]{str2}) : resource, ResourcePermission.class, map);
    }

    public ResourcePermission getPermission(String str, UUID uuid, String str2, Map<String, String> map) throws HttpResponseException {
        WebTarget resource = getResource("permissions/" + str + "/" + uuid);
        return (ResourcePermission) TestUtils.get(str2 != null ? resource.queryParam("user", new Object[]{str2}) : resource, ResourcePermission.class, map);
    }

    public ResourcePermission getPermissionByName(String str, String str2, String str3, Map<String, String> map) throws HttpResponseException {
        WebTarget path = getResource("permissions/").path(str).path("/name/").path(str2);
        return (ResourcePermission) TestUtils.get(str3 != null ? path.queryParam("user", new Object[]{str3}) : path, ResourcePermission.class, map);
    }

    public List<ResourcePermission> getPermissionsForPolicies(List<UUID> list, Map<String, String> map) throws HttpResponseException {
        WebTarget resource = getResource("permissions/policies");
        Iterator<UUID> it = list.iterator();
        while (it.hasNext()) {
            resource = resource.queryParam("ids", new Object[]{it.next()});
        }
        return ((PermissionsResource.ResourcePermissionList) TestUtils.get(resource, PermissionsResource.ResourcePermissionList.class, map)).getData();
    }

    static {
        DATA_CONSUMER_ALLOWED.addAll(List.of(MetadataOperation.EDIT_DESCRIPTION, MetadataOperation.EDIT_TAGS));
        DATA_STEWARD_ALLOWED = new ArrayList(DATA_CONSUMER_ALLOWED);
        DATA_STEWARD_ALLOWED.addAll(List.of(MetadataOperation.EDIT_OWNERS, MetadataOperation.EDIT_DISPLAY_NAME, MetadataOperation.EDIT_LINEAGE));
    }
}
