package org.apache.pulsar.broker.admin;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.Sets;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Optional;
import java.util.Properties;
import java.util.UUID;
import javax.crypto.SecretKey;
import org.apache.pulsar.broker.PulsarService;
import org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest;
import org.apache.pulsar.broker.authentication.AuthenticationProviderToken;
import org.apache.pulsar.broker.authentication.utils.AuthTokenUtils;
import org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider;
import org.apache.pulsar.client.admin.PulsarAdmin;
import org.apache.pulsar.client.admin.PulsarAdminException;
import org.apache.pulsar.client.impl.auth.AuthenticationToken;
import org.apache.pulsar.common.policies.data.AuthAction;
import org.apache.pulsar.common.policies.data.ClusterData;
import org.apache.pulsar.common.policies.data.TenantInfo;
import org.testng.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

@Test(groups = {"broker-admin"})
/* loaded from: input_file:org/apache/pulsar/broker/admin/NamespaceAuthZTest.class */
public class NamespaceAuthZTest extends MockedPulsarServiceBaseTest {
    private PulsarAdmin superUserAdmin;
    private PulsarAdmin tenantManagerAdmin;
    private PulsarService pulsarService;
    private PulsarAdmin serviceInternalAdmin;
    private static final SecretKey SECRET_KEY = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
    private static final String TENANT_ADMIN_SUBJECT = UUID.randomUUID().toString();
    private static final String TENANT_ADMIN_TOKEN = Jwts.builder().claim("sub", TENANT_ADMIN_SUBJECT).signWith(SECRET_KEY).compact();
    protected static final String SUPER_USER_SUBJECT = "super-user";
    protected static final String SUPER_USER_TOKEN = Jwts.builder().claim("sub", SUPER_USER_SUBJECT).signWith(SECRET_KEY).compact();
    private static final String BROKER_INTERNAL_CLIENT_SUBJECT = "broker_internal";
    private static final String BROKER_INTERNAL_CLIENT_TOKEN = Jwts.builder().claim("sub", BROKER_INTERNAL_CLIENT_SUBJECT).signWith(SECRET_KEY).compact();
    protected static final ObjectMapper MAPPER = new ObjectMapper();
    private static final String DEFAULT_TENANT = "public";
    private static final String DEFAULT_NAMESPACE = "public/default";
    private static final String TEST_CLUSTER_NAME = "test-standalone";

    public NamespaceAuthZTest() {
        this.conf.setClusterName(TEST_CLUSTER_NAME);
        this.conf.setBrokerShutdownTimeoutMs(0L);
        this.conf.setBrokerServicePort(Optional.of(0));
        this.conf.setBrokerServicePortTls(Optional.of(0));
        this.conf.setAdvertisedAddress("localhost");
        this.conf.setWebServicePort(Optional.of(0));
        this.conf.setWebServicePortTls(Optional.of(0));
        this.conf.setNumExecutorThreadPoolSize(5);
        this.conf.setExposeBundlesMetricsInPrometheus(true);
    }

    @Override // org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest
    @BeforeClass
    protected void setup() throws Exception {
        this.conf.setAuthenticationEnabled(true);
        this.conf.setAuthorizationEnabled(true);
        this.conf.getProperties().setProperty("tokenSecretKey", "data:;base64," + Base64.getEncoder().encodeToString(SECRET_KEY.getEncoded()));
        HashSet hashSet = new HashSet();
        hashSet.add("admin");
        this.conf.setSuperUserRoles(hashSet);
        HashSet hashSet2 = new HashSet();
        hashSet2.add(AuthenticationProviderToken.class.getName());
        this.conf.setAuthenticationProviders(hashSet2);
        configureTokenAuthentication();
        configureDefaultAuthorization();
        super.internalSetup();
        this.pulsarService = getPulsar();
        this.serviceInternalAdmin = this.pulsarService.getAdminClient();
        setupDefaultTenantAndNamespace();
        this.superUserAdmin = PulsarAdmin.builder().serviceHttpUrl(getPulsarService().getWebServiceAddress()).authentication(new AuthenticationToken(SUPER_USER_TOKEN)).build();
        TenantInfo tenantInfo = this.superUserAdmin.tenants().getTenantInfo(DEFAULT_TENANT);
        tenantInfo.getAdminRoles().add(TENANT_ADMIN_SUBJECT);
        this.superUserAdmin.tenants().updateTenant(DEFAULT_TENANT, tenantInfo);
        this.tenantManagerAdmin = PulsarAdmin.builder().serviceHttpUrl(getPulsarService().getWebServiceAddress()).authentication(new AuthenticationToken(TENANT_ADMIN_TOKEN)).build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest
    public void setupDefaultTenantAndNamespace() throws Exception {
        if (!this.serviceInternalAdmin.clusters().getClusters().contains(TEST_CLUSTER_NAME)) {
            this.serviceInternalAdmin.clusters().createCluster(TEST_CLUSTER_NAME, ClusterData.builder().serviceUrl(this.pulsarService.getWebServiceAddress()).build());
        }
        if (!this.serviceInternalAdmin.tenants().getTenants().contains(DEFAULT_TENANT)) {
            this.serviceInternalAdmin.tenants().createTenant(DEFAULT_TENANT, TenantInfo.builder().allowedClusters(Sets.newHashSet(new String[]{TEST_CLUSTER_NAME})).build());
        }
        if (this.serviceInternalAdmin.namespaces().getNamespaces(DEFAULT_TENANT).contains(DEFAULT_NAMESPACE)) {
            return;
        }
        this.serviceInternalAdmin.namespaces().createNamespace(DEFAULT_NAMESPACE);
    }

    protected void configureTokenAuthentication() {
        this.conf.setAuthenticationEnabled(true);
        HashSet hashSet = new HashSet();
        hashSet.add(AuthenticationProviderToken.class.getName());
        this.conf.setAuthenticationProviders(hashSet);
        this.conf.setBrokerClientAuthenticationPlugin(AuthenticationToken.class.getName());
        HashMap hashMap = new HashMap();
        hashMap.put("token", BROKER_INTERNAL_CLIENT_TOKEN);
        this.conf.setBrokerClientAuthenticationParameters(MAPPER.writeValueAsString(hashMap));
        Properties properties = this.conf.getProperties();
        if (properties == null) {
            properties = new Properties();
            this.conf.setProperties(properties);
        }
        properties.put("tokenSecretKey", AuthTokenUtils.encodeKeyBase64(SECRET_KEY));
    }

    protected void configureDefaultAuthorization() {
        this.conf.setAuthorizationEnabled(true);
        this.conf.setAuthorizationProvider(PulsarAuthorizationProvider.class.getName());
        HashSet hashSet = new HashSet();
        hashSet.add(SUPER_USER_SUBJECT);
        hashSet.add(BROKER_INTERNAL_CLIENT_SUBJECT);
        this.conf.setSuperUserRoles(hashSet);
    }

    @Override // org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest
    @AfterClass
    protected void cleanup() throws Exception {
        super.internalCleanup();
    }

    @Test
    public void testProperties() {
        String str = "persistent://public/default/" + UUID.randomUUID().toString();
        String uuid = UUID.randomUUID().toString();
        String compact = Jwts.builder().claim("sub", uuid).signWith(SECRET_KEY).compact();
        this.superUserAdmin.topics().createNonPartitionedTopic(str);
        PulsarAdmin build = PulsarAdmin.builder().serviceHttpUrl(getPulsarService().getWebServiceAddress()).authentication(new AuthenticationToken(compact)).build();
        try {
            HashMap hashMap = new HashMap();
            hashMap.put("key1", "value1");
            this.superUserAdmin.namespaces().setProperties(DEFAULT_NAMESPACE, hashMap);
            this.superUserAdmin.namespaces().setProperty(DEFAULT_NAMESPACE, "key2", "value2");
            this.superUserAdmin.namespaces().getProperties(DEFAULT_NAMESPACE);
            this.superUserAdmin.namespaces().getProperty(DEFAULT_NAMESPACE, "key2");
            this.superUserAdmin.namespaces().removeProperty(DEFAULT_NAMESPACE, "key2");
            this.superUserAdmin.namespaces().clearProperties(DEFAULT_NAMESPACE);
            this.tenantManagerAdmin.namespaces().setProperties(DEFAULT_NAMESPACE, hashMap);
            this.tenantManagerAdmin.namespaces().setProperty(DEFAULT_NAMESPACE, "key2", "value2");
            this.tenantManagerAdmin.namespaces().getProperties(DEFAULT_NAMESPACE);
            this.tenantManagerAdmin.namespaces().getProperty(DEFAULT_NAMESPACE, "key2");
            this.tenantManagerAdmin.namespaces().removeProperty(DEFAULT_NAMESPACE, "key2");
            this.tenantManagerAdmin.namespaces().clearProperties(DEFAULT_NAMESPACE);
            Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class, () -> {
                build.namespaces().setProperties(DEFAULT_NAMESPACE, hashMap);
            });
            Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class, () -> {
                build.namespaces().setProperty(DEFAULT_NAMESPACE, "key2", "value2");
            });
            Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class, () -> {
                build.namespaces().getProperties(DEFAULT_NAMESPACE);
            });
            Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class, () -> {
                build.namespaces().getProperty(DEFAULT_NAMESPACE, "key2");
            });
            Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class, () -> {
                build.namespaces().removeProperty(DEFAULT_NAMESPACE, "key2");
            });
            Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class, () -> {
                build.namespaces().clearProperties(DEFAULT_NAMESPACE);
            });
            for (AuthAction authAction : AuthAction.values()) {
                HashSet hashSet = new HashSet();
                hashSet.add(authAction);
                this.superUserAdmin.namespaces().grantPermissionOnNamespace(DEFAULT_NAMESPACE, uuid, hashSet);
                Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class, () -> {
                    build.namespaces().setProperties(DEFAULT_NAMESPACE, hashMap);
                });
                Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class, () -> {
                    build.namespaces().setProperty(DEFAULT_NAMESPACE, "key2", "value2");
                });
                Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class, () -> {
                    build.namespaces().getProperties(DEFAULT_NAMESPACE);
                });
                Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class, () -> {
                    build.namespaces().getProperty(DEFAULT_NAMESPACE, "key2");
                });
                Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class, () -> {
                    build.namespaces().removeProperty(DEFAULT_NAMESPACE, "key2");
                });
                Assert.assertThrows(PulsarAdminException.NotAuthorizedException.class, () -> {
                    build.namespaces().clearProperties(DEFAULT_NAMESPACE);
                });
                this.superUserAdmin.namespaces().revokePermissionsOnNamespace(DEFAULT_NAMESPACE, uuid);
            }
            this.superUserAdmin.topics().delete(str, true);
            if (Collections.singletonList(build).get(0) != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (Collections.singletonList(build).get(0) != null) {
                build.close();
            }
            throw th;
        }
    }

    public PulsarService getPulsarService() {
        return this.pulsarService;
    }
}
