package com.linkedin.venice.listener;

import com.linkedin.venice.acl.StaticAccessController;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelPipeline;
import io.netty.handler.codec.http.FullHttpResponse;
import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpRequest;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.Attribute;
import java.net.SocketAddress;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Optional;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSession;
import org.mockito.ArgumentMatcher;
import org.mockito.Mockito;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:com/linkedin/venice/listener/ServerAclHandlerTest.class */
public class ServerAclHandlerTest {
    private StaticAccessController accessController;
    private ChannelHandlerContext ctx;
    private HttpRequest req;
    private ServerAclHandler aclHandler;
    protected Attribute<Boolean> serverAclApprovedAttr;

    /* loaded from: input_file:com/linkedin/venice/listener/ServerAclHandlerTest$ContextMatcher.class */
    public static class ContextMatcher implements ArgumentMatcher<FullHttpResponse> {
        private HttpResponseStatus status;

        public ContextMatcher(HttpResponseStatus httpResponseStatus) {
            this.status = httpResponseStatus;
        }

        public boolean matches(FullHttpResponse fullHttpResponse) {
            return fullHttpResponse.status().equals(this.status);
        }
    }

    @BeforeMethod
    public void setUp() throws Exception {
        this.ctx = (ChannelHandlerContext) Mockito.mock(ChannelHandlerContext.class);
        this.req = (HttpRequest) Mockito.mock(HttpRequest.class);
        this.accessController = (StaticAccessController) Mockito.mock(StaticAccessController.class);
        this.aclHandler = (ServerAclHandler) Mockito.spy(new ServerAclHandler(Optional.of(this.accessController), Optional.empty(), Optional.empty()));
        ChannelPipeline channelPipeline = (ChannelPipeline) Mockito.mock(ChannelPipeline.class);
        Mockito.when(this.ctx.pipeline()).thenReturn(channelPipeline);
        SslHandler sslHandler = (SslHandler) Mockito.mock(SslHandler.class);
        Mockito.when(channelPipeline.get(SslHandler.class)).thenReturn(sslHandler);
        SSLEngine sSLEngine = (SSLEngine) Mockito.mock(SSLEngine.class);
        Mockito.when(sslHandler.engine()).thenReturn(sSLEngine);
        SSLSession sSLSession = (SSLSession) Mockito.mock(SSLSession.class);
        Mockito.when(sSLEngine.getSession()).thenReturn(sSLSession);
        Mockito.when(sSLSession.getPeerCertificates()).thenReturn(new Certificate[]{(X509Certificate) Mockito.mock(X509Certificate.class)});
        Channel channel = (Channel) Mockito.mock(Channel.class);
        Mockito.when(this.ctx.channel()).thenReturn(channel);
        Mockito.when(channel.remoteAddress()).thenReturn((SocketAddress) Mockito.mock(SocketAddress.class));
        this.serverAclApprovedAttr = (Attribute) Mockito.mock(Attribute.class);
        ((Channel) Mockito.doReturn(this.serverAclApprovedAttr).when(channel)).attr(ServerAclHandler.SERVER_ACL_APPROVED_ATTRIBUTE_KEY);
        Mockito.when(this.req.method()).thenReturn(HttpMethod.GET);
    }

    @Test
    public void testAllow() throws Exception {
        Mockito.when(Boolean.valueOf(this.accessController.hasAccess((X509Certificate) Mockito.any(), (String) Mockito.any(), (String) Mockito.any()))).thenReturn(true);
        this.aclHandler.channelRead0(this.ctx, this.req);
        ((ChannelHandlerContext) Mockito.verify(this.ctx)).fireChannelRead(this.req);
        ((ChannelHandlerContext) Mockito.verify(this.ctx, Mockito.never())).writeAndFlush(Mockito.argThat(new ContextMatcher(HttpResponseStatus.FORBIDDEN)));
        ((Attribute) Mockito.verify(this.serverAclApprovedAttr)).set(true);
    }

    @Test
    public void testDeny() throws Exception {
        Mockito.when(Boolean.valueOf(this.accessController.hasAccess((X509Certificate) Mockito.any(), (String) Mockito.any(), (String) Mockito.any()))).thenReturn(false);
        this.aclHandler.channelRead0(this.ctx, this.req);
        ((ChannelHandlerContext) Mockito.verify(this.ctx, Mockito.never())).fireChannelRead(this.req);
        ((ChannelHandlerContext) Mockito.verify(this.ctx)).writeAndFlush(Mockito.argThat(new ContextMatcher(HttpResponseStatus.FORBIDDEN)));
        ((Attribute) Mockito.verify(this.serverAclApprovedAttr)).set(false);
    }

    @Test
    public void testDenyWithDisabledFailOnAccessRejection() throws Exception {
        Mockito.when(Boolean.valueOf(this.accessController.hasAccess((X509Certificate) Mockito.any(), (String) Mockito.any(), (String) Mockito.any()))).thenReturn(false);
        this.aclHandler = (ServerAclHandler) Mockito.spy(new ServerAclHandler(Optional.of(this.accessController), Optional.empty(), Optional.empty(), false));
        this.aclHandler.channelRead0(this.ctx, this.req);
        ((ChannelHandlerContext) Mockito.verify(this.ctx)).fireChannelRead(this.req);
        ((ChannelHandlerContext) Mockito.verify(this.ctx, Mockito.never())).writeAndFlush(Mockito.argThat(new ContextMatcher(HttpResponseStatus.FORBIDDEN)));
        ((Attribute) Mockito.verify(this.serverAclApprovedAttr)).set(false);
    }
}
