package org.apache.pulsar.broker.service;

import com.google.common.collect.Sets;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelPipeline;
import io.netty.channel.nio.NioEventLoopGroup;
import java.net.InetSocketAddress;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Collections;
import java.util.Optional;
import java.util.Properties;
import java.util.concurrent.CompletableFuture;
import javax.crypto.SecretKey;
import org.apache.bookkeeper.common.util.OrderedExecutor;
import org.apache.bookkeeper.mledger.ManagedLedgerFactory;
import org.apache.pulsar.broker.BrokerTestUtil;
import org.apache.pulsar.broker.PulsarService;
import org.apache.pulsar.broker.PulsarServiceMockSupport;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.auth.MockedPulsarServiceBaseTest;
import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
import org.apache.pulsar.broker.authentication.AuthenticationDataSubscription;
import org.apache.pulsar.broker.authentication.AuthenticationProviderToken;
import org.apache.pulsar.broker.authentication.utils.AuthTokenUtils;
import org.apache.pulsar.broker.authorization.AuthorizationService;
import org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider;
import org.apache.pulsar.broker.intercept.BrokerInterceptor;
import org.apache.pulsar.broker.resources.NamespaceResources;
import org.apache.pulsar.broker.resources.PulsarResources;
import org.apache.pulsar.broker.resources.TenantResources;
import org.apache.pulsar.broker.service.schema.DefaultSchemaRegistryService;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.impl.auth.AuthenticationToken;
import org.apache.pulsar.common.api.proto.CommandConnect;
import org.apache.pulsar.common.api.proto.CommandLookupTopic;
import org.apache.pulsar.common.api.proto.CommandProducer;
import org.apache.pulsar.common.api.proto.CommandSubscribe;
import org.apache.pulsar.common.naming.TopicName;
import org.apache.pulsar.common.policies.data.TenantInfo;
import org.apache.pulsar.common.policies.data.TopicOperation;
import org.apache.pulsar.metadata.impl.ZKMetadataStore;
import org.apache.zookeeper.MockZooKeeper;
import org.mockito.ArgumentMatcher;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

@Test(groups = {"broker"})
/* loaded from: input_file:org/apache/pulsar/broker/service/ServerCnxAuthorizationTest.class */
public class ServerCnxAuthorizationTest {
    private final SecretKey SECRET_KEY = AuthTokenUtils.createSecretKey(SignatureAlgorithm.HS256);
    private final String CLIENT_PRINCIPAL = "client";
    private final String PROXY_PRINCIPAL = "proxy";
    private final String CLIENT_TOKEN = Jwts.builder().setSubject("client").signWith(this.SECRET_KEY).compact();
    private final String PROXY_TOKEN = Jwts.builder().setSubject("proxy").signWith(this.SECRET_KEY).compact();
    private PulsarService pulsar;
    private PulsarResources pulsarResources;
    private BrokerService brokerService;
    private ServiceConfiguration svcConfig;

    @BeforeMethod(alwaysRun = true)
    public void beforeMethod() throws Exception {
        NioEventLoopGroup nioEventLoopGroup = new NioEventLoopGroup();
        this.svcConfig = (ServiceConfiguration) Mockito.spy(ServiceConfiguration.class);
        this.svcConfig.setKeepAliveIntervalSeconds(0);
        this.svcConfig.setBrokerShutdownTimeoutMs(0L);
        this.svcConfig.setLoadBalancerOverrideBrokerNicSpeedGbps(Optional.of(Double.valueOf(1.0d)));
        this.svcConfig.setClusterName("pulsar-cluster");
        this.svcConfig.setSuperUserRoles(Collections.singleton("proxy"));
        this.svcConfig.setAuthenticationEnabled(true);
        this.svcConfig.setAuthenticationProviders(Sets.newHashSet(new String[]{AuthenticationProviderToken.class.getName()}));
        this.svcConfig.setAuthorizationEnabled(true);
        this.svcConfig.setAuthorizationProvider(PulsarAuthorizationProvider.class.getName());
        Properties properties = new Properties();
        properties.setProperty("tokenSecretKey", "data:;base64," + Base64.getEncoder().encodeToString(this.SECRET_KEY.getEncoded()));
        this.svcConfig.setProperties(properties);
        this.pulsar = (PulsarService) BrokerTestUtil.spyWithClassAndConstructorArgs(PulsarService.class, this.svcConfig);
        ((PulsarService) Mockito.doReturn(new DefaultSchemaRegistryService()).when(this.pulsar)).getSchemaRegistryService();
        ((PulsarService) Mockito.doReturn(this.svcConfig).when(this.pulsar)).getConfiguration();
        PulsarServiceMockSupport.mockPulsarServiceProps(this.pulsar, () -> {
            ((PulsarService) Mockito.doReturn(Mockito.mock(PulsarResources.class)).when(this.pulsar)).getPulsarResources();
        });
        ((PulsarService) Mockito.doReturn((ManagedLedgerFactory) Mockito.mock(ManagedLedgerFactory.class)).when(this.pulsar)).getManagedLedgerFactory();
        MockZooKeeper createMockZooKeeper = MockedPulsarServiceBaseTest.createMockZooKeeper();
        OrderedExecutor build = OrderedExecutor.newBuilder().numThreads(1).build();
        ((PulsarService) Mockito.doReturn(MockedPulsarServiceBaseTest.createMockBookKeeper(build)).when(this.pulsar)).getBookKeeperClient();
        ZKMetadataStore zKMetadataStore = new ZKMetadataStore(createMockZooKeeper);
        ((PulsarService) Mockito.doReturn(zKMetadataStore).when(this.pulsar)).getLocalMetadataStore();
        ((PulsarService) Mockito.doReturn(zKMetadataStore).when(this.pulsar)).getConfigurationMetadataStore();
        this.pulsarResources = (PulsarResources) BrokerTestUtil.spyWithClassAndConstructorArgs(PulsarResources.class, zKMetadataStore, zKMetadataStore);
        PulsarServiceMockSupport.mockPulsarServiceProps(this.pulsar, () -> {
            ((PulsarService) Mockito.doReturn(this.pulsarResources).when(this.pulsar)).getPulsarResources();
        });
        ((PulsarResources) Mockito.doReturn((NamespaceResources) BrokerTestUtil.spyWithClassAndConstructorArgs(NamespaceResources.class, zKMetadataStore, zKMetadataStore, 30)).when(this.pulsarResources)).getNamespaceResources();
        TenantResources tenantResources = (TenantResources) BrokerTestUtil.spyWithClassAndConstructorArgs(TenantResources.class, zKMetadataStore, 30);
        ((PulsarResources) Mockito.doReturn(tenantResources).when(this.pulsarResources)).getTenantResources();
        ((TenantResources) Mockito.doReturn(CompletableFuture.completedFuture(Optional.of(TenantInfo.builder().build()))).when(tenantResources)).getTenantAsync("public");
        this.brokerService = (BrokerService) BrokerTestUtil.spyWithClassAndConstructorArgs(BrokerService.class, this.pulsar, nioEventLoopGroup);
        ((BrokerService) Mockito.doReturn((BrokerInterceptor) Mockito.mock(BrokerInterceptor.class)).when(this.brokerService)).getInterceptor();
        PulsarServiceMockSupport.mockPulsarServiceProps(this.pulsar, () -> {
            ((PulsarService) Mockito.doReturn(this.brokerService).when(this.pulsar)).getBrokerService();
            ((PulsarService) Mockito.doReturn(build).when(this.pulsar)).getOrderedExecutor();
        });
    }

    @Test
    public void testVerifyOriginalPrincipalWithAuthDataForwardedFromProxy() throws Exception {
        ((ServiceConfiguration) Mockito.doReturn(true).when(this.svcConfig)).isAuthenticateOriginalAuthData();
        ServerCnx serverCnx = (ServerCnx) BrokerTestUtil.spyWithClassAndConstructorArgs(ServerCnx.class, this.pulsar);
        ChannelHandlerContext channelHandlerContext = (ChannelHandlerContext) Mockito.mock(ChannelHandlerContext.class);
        Channel channel = (Channel) Mockito.mock(Channel.class);
        ChannelPipeline channelPipeline = (ChannelPipeline) Mockito.mock(ChannelPipeline.class);
        ((Channel) Mockito.doReturn(channelPipeline).when(channel)).pipeline();
        ((ChannelPipeline) Mockito.doReturn((Object) null).when(channelPipeline)).get("tls");
        ((Channel) Mockito.doReturn(new InetSocketAddress(0)).when(channel)).remoteAddress();
        ((ChannelHandlerContext) Mockito.doReturn(channel).when(channelHandlerContext)).channel();
        channelHandlerContext.channel().remoteAddress();
        serverCnx.channelActive(channelHandlerContext);
        AuthenticationToken authenticationToken = new AuthenticationToken(this.CLIENT_TOKEN);
        AuthenticationToken authenticationToken2 = new AuthenticationToken(this.PROXY_TOKEN);
        CommandConnect commandConnect = new CommandConnect();
        commandConnect.setAuthMethodName(authenticationToken2.getAuthMethodName());
        commandConnect.setAuthData(authenticationToken2.getAuthData().getCommandData().getBytes(StandardCharsets.UTF_8));
        commandConnect.setClientVersion("test");
        commandConnect.setProtocolVersion(1);
        commandConnect.setOriginalPrincipal("client");
        commandConnect.setOriginalAuthData(authenticationToken.getAuthData().getCommandData());
        commandConnect.setOriginalAuthMethod(authenticationToken.getAuthMethodName());
        serverCnx.handleConnect(commandConnect);
        Assert.assertEquals(serverCnx.getOriginalAuthData().getCommandData(), authenticationToken.getAuthData().getCommandData());
        Assert.assertEquals(serverCnx.getOriginalAuthState().getAuthRole(), "client");
        Assert.assertEquals(serverCnx.getOriginalPrincipal(), "client");
        Assert.assertEquals(serverCnx.getAuthData().getCommandData(), authenticationToken2.getAuthData().getCommandData());
        Assert.assertEquals(serverCnx.getAuthRole(), "proxy");
        Assert.assertEquals(serverCnx.getAuthState().getAuthRole(), "proxy");
        AuthorizationService authorizationService = (AuthorizationService) BrokerTestUtil.spyWithClassAndConstructorArgs(AuthorizationService.class, this.svcConfig, this.pulsarResources);
        ((BrokerService) Mockito.doReturn(authorizationService).when(this.brokerService)).getAuthorizationService();
        CommandLookupTopic commandLookupTopic = new CommandLookupTopic();
        TopicName topicName = TopicName.get("persistent://public/default/test-topic");
        commandLookupTopic.setTopic(topicName.toString());
        commandLookupTopic.setRequestId(1L);
        serverCnx.handleLookup(commandLookupTopic);
        ((AuthorizationService) Mockito.verify(authorizationService, Mockito.times(1))).allowTopicOperationAsync(topicName, TopicOperation.LOOKUP, "client", serverCnx.getOriginalAuthData());
        ((AuthorizationService) Mockito.verify(authorizationService, Mockito.times(1))).allowTopicOperationAsync(topicName, TopicOperation.LOOKUP, "proxy", serverCnx.getAuthData());
        CommandProducer commandProducer = new CommandProducer();
        commandProducer.setRequestId(1L);
        commandProducer.setProducerId(1L);
        commandProducer.setProducerName("test-producer");
        commandProducer.setTopic(topicName.toString());
        serverCnx.handleProducer(commandProducer);
        ((AuthorizationService) Mockito.verify(authorizationService, Mockito.times(1))).allowTopicOperationAsync(topicName, TopicOperation.PRODUCE, "client", serverCnx.getOriginalAuthData());
        ((AuthorizationService) Mockito.verify(authorizationService, Mockito.times(1))).allowTopicOperationAsync(topicName, TopicOperation.LOOKUP, "proxy", serverCnx.getAuthData());
        CommandSubscribe commandSubscribe = new CommandSubscribe();
        commandSubscribe.setTopic(topicName.toString());
        commandSubscribe.setRequestId(1L);
        commandSubscribe.setConsumerId(1L);
        commandSubscribe.setSubscription("test-subscribe");
        commandSubscribe.setSubType(CommandSubscribe.SubType.Shared);
        serverCnx.handleSubscribe(commandSubscribe);
        ((AuthorizationService) Mockito.verify(authorizationService, Mockito.times(1))).allowTopicOperationAsync((TopicName) ArgumentMatchers.eq(topicName), (TopicOperation) ArgumentMatchers.eq(TopicOperation.CONSUME), (String) ArgumentMatchers.eq("client"), (AuthenticationDataSource) ArgumentMatchers.argThat(authenticationDataSource -> {
            Assert.assertTrue(authenticationDataSource instanceof AuthenticationDataSubscription);
            try {
                Assert.assertEquals(authenticationDataSource.getCommandData(), authenticationToken.getAuthData().getCommandData());
            } catch (PulsarClientException e) {
                Assert.fail(e.getMessage());
            }
            Assert.assertEquals(authenticationDataSource.getSubscription(), "test-subscribe");
            return true;
        }));
        ((AuthorizationService) Mockito.verify(authorizationService, Mockito.times(1))).allowTopicOperationAsync((TopicName) ArgumentMatchers.eq(topicName), (TopicOperation) ArgumentMatchers.eq(TopicOperation.CONSUME), (String) ArgumentMatchers.eq("proxy"), (AuthenticationDataSource) ArgumentMatchers.argThat(authenticationDataSource2 -> {
            Assert.assertTrue(authenticationDataSource2 instanceof AuthenticationDataSubscription);
            try {
                Assert.assertEquals(authenticationDataSource2.getCommandData(), authenticationToken2.getAuthData().getCommandData());
            } catch (PulsarClientException e) {
                Assert.fail(e.getMessage());
            }
            Assert.assertEquals(authenticationDataSource2.getSubscription(), "test-subscribe");
            return true;
        }));
    }

    @Test
    public void testVerifyOriginalPrincipalWithoutAuthDataForwardedFromProxy() throws Exception {
        ((ServiceConfiguration) Mockito.doReturn(false).when(this.svcConfig)).isAuthenticateOriginalAuthData();
        ServerCnx serverCnx = (ServerCnx) BrokerTestUtil.spyWithClassAndConstructorArgs(ServerCnx.class, this.pulsar);
        ChannelHandlerContext channelHandlerContext = (ChannelHandlerContext) Mockito.mock(ChannelHandlerContext.class);
        Channel channel = (Channel) Mockito.mock(Channel.class);
        ChannelPipeline channelPipeline = (ChannelPipeline) Mockito.mock(ChannelPipeline.class);
        ((Channel) Mockito.doReturn(channelPipeline).when(channel)).pipeline();
        ((ChannelPipeline) Mockito.doReturn((Object) null).when(channelPipeline)).get("tls");
        ((Channel) Mockito.doReturn(new InetSocketAddress(0)).when(channel)).remoteAddress();
        ((ChannelHandlerContext) Mockito.doReturn(channel).when(channelHandlerContext)).channel();
        channelHandlerContext.channel().remoteAddress();
        serverCnx.channelActive(channelHandlerContext);
        AuthenticationToken authenticationToken = new AuthenticationToken(this.PROXY_TOKEN);
        CommandConnect commandConnect = new CommandConnect();
        commandConnect.setAuthMethodName(authenticationToken.getAuthMethodName());
        commandConnect.setAuthData(authenticationToken.getAuthData().getCommandData().getBytes(StandardCharsets.UTF_8));
        commandConnect.setClientVersion("test");
        commandConnect.setProtocolVersion(1);
        commandConnect.setOriginalPrincipal("client");
        serverCnx.handleConnect(commandConnect);
        Assert.assertNull(serverCnx.getOriginalAuthData());
        Assert.assertNull(serverCnx.getOriginalAuthState());
        Assert.assertEquals(serverCnx.getOriginalPrincipal(), "client");
        Assert.assertEquals(serverCnx.getAuthData().getCommandData(), authenticationToken.getAuthData().getCommandData());
        Assert.assertEquals(serverCnx.getAuthRole(), "proxy");
        Assert.assertEquals(serverCnx.getAuthState().getAuthRole(), "proxy");
        AuthorizationService authorizationService = (AuthorizationService) BrokerTestUtil.spyWithClassAndConstructorArgs(AuthorizationService.class, this.svcConfig, this.pulsarResources);
        ((BrokerService) Mockito.doReturn(authorizationService).when(this.brokerService)).getAuthorizationService();
        CommandLookupTopic commandLookupTopic = new CommandLookupTopic();
        TopicName topicName = TopicName.get("persistent://public/default/test-topic");
        commandLookupTopic.setTopic(topicName.toString());
        commandLookupTopic.setRequestId(1L);
        serverCnx.handleLookup(commandLookupTopic);
        ((AuthorizationService) Mockito.verify(authorizationService, Mockito.times(1))).allowTopicOperationAsync(topicName, TopicOperation.LOOKUP, "client", serverCnx.getAuthData());
        ((AuthorizationService) Mockito.verify(authorizationService, Mockito.times(1))).allowTopicOperationAsync(topicName, TopicOperation.LOOKUP, "proxy", serverCnx.getAuthData());
        CommandProducer commandProducer = new CommandProducer();
        commandProducer.setRequestId(1L);
        commandProducer.setProducerId(1L);
        commandProducer.setProducerName("test-producer");
        commandProducer.setTopic(topicName.toString());
        serverCnx.handleProducer(commandProducer);
        ((AuthorizationService) Mockito.verify(authorizationService, Mockito.times(1))).allowTopicOperationAsync(topicName, TopicOperation.PRODUCE, "client", serverCnx.getAuthData());
        ((AuthorizationService) Mockito.verify(authorizationService, Mockito.times(1))).allowTopicOperationAsync(topicName, TopicOperation.LOOKUP, "proxy", serverCnx.getAuthData());
        CommandSubscribe commandSubscribe = new CommandSubscribe();
        commandSubscribe.setTopic(topicName.toString());
        commandSubscribe.setRequestId(1L);
        commandSubscribe.setConsumerId(1L);
        commandSubscribe.setSubscription("test-subscribe");
        commandSubscribe.setSubType(CommandSubscribe.SubType.Shared);
        serverCnx.handleSubscribe(commandSubscribe);
        ArgumentMatcher argumentMatcher = authenticationDataSource -> {
            Assert.assertTrue(authenticationDataSource instanceof AuthenticationDataSubscription);
            try {
                Assert.assertEquals(authenticationDataSource.getCommandData(), authenticationToken.getAuthData().getCommandData());
            } catch (PulsarClientException e) {
                Assert.fail(e.getMessage());
            }
            Assert.assertEquals(authenticationDataSource.getSubscription(), "test-subscribe");
            return true;
        };
        ((AuthorizationService) Mockito.verify(authorizationService, Mockito.times(1))).allowTopicOperationAsync((TopicName) ArgumentMatchers.eq(topicName), (TopicOperation) ArgumentMatchers.eq(TopicOperation.CONSUME), (String) ArgumentMatchers.eq("client"), (AuthenticationDataSource) ArgumentMatchers.argThat(argumentMatcher));
        ((AuthorizationService) Mockito.verify(authorizationService, Mockito.times(1))).allowTopicOperationAsync((TopicName) ArgumentMatchers.eq(topicName), (TopicOperation) ArgumentMatchers.eq(TopicOperation.CONSUME), (String) ArgumentMatchers.eq("proxy"), (AuthenticationDataSource) ArgumentMatchers.argThat(argumentMatcher));
    }

    @Test
    public void testVerifyAuthRoleAndAuthDataFromDirectConnectionBroker() throws Exception {
        ServerCnx serverCnx = (ServerCnx) BrokerTestUtil.spyWithClassAndConstructorArgs(ServerCnx.class, this.pulsar);
        ChannelHandlerContext channelHandlerContext = (ChannelHandlerContext) Mockito.mock(ChannelHandlerContext.class);
        Channel channel = (Channel) Mockito.mock(Channel.class);
        ChannelPipeline channelPipeline = (ChannelPipeline) Mockito.mock(ChannelPipeline.class);
        ((Channel) Mockito.doReturn(channelPipeline).when(channel)).pipeline();
        ((ChannelPipeline) Mockito.doReturn((Object) null).when(channelPipeline)).get("tls");
        ((Channel) Mockito.doReturn(new InetSocketAddress(0)).when(channel)).remoteAddress();
        ((ChannelHandlerContext) Mockito.doReturn(channel).when(channelHandlerContext)).channel();
        channelHandlerContext.channel().remoteAddress();
        serverCnx.channelActive(channelHandlerContext);
        AuthenticationToken authenticationToken = new AuthenticationToken(this.CLIENT_TOKEN);
        CommandConnect commandConnect = new CommandConnect();
        commandConnect.setAuthMethodName(authenticationToken.getAuthMethodName());
        commandConnect.setAuthData(authenticationToken.getAuthData().getCommandData().getBytes(StandardCharsets.UTF_8));
        commandConnect.setClientVersion("test");
        commandConnect.setProtocolVersion(1);
        serverCnx.handleConnect(commandConnect);
        Assert.assertNull(serverCnx.getOriginalAuthData());
        Assert.assertNull(serverCnx.getOriginalAuthState());
        Assert.assertNull(serverCnx.getOriginalPrincipal());
        Assert.assertEquals(serverCnx.getAuthData().getCommandData(), authenticationToken.getAuthData().getCommandData());
        Assert.assertEquals(serverCnx.getAuthRole(), "client");
        Assert.assertEquals(serverCnx.getAuthState().getAuthRole(), "client");
        AuthorizationService authorizationService = (AuthorizationService) BrokerTestUtil.spyWithClassAndConstructorArgs(AuthorizationService.class, this.svcConfig, this.pulsarResources);
        ((BrokerService) Mockito.doReturn(authorizationService).when(this.brokerService)).getAuthorizationService();
        CommandLookupTopic commandLookupTopic = new CommandLookupTopic();
        TopicName topicName = TopicName.get("persistent://public/default/test-topic");
        commandLookupTopic.setTopic(topicName.toString());
        commandLookupTopic.setRequestId(1L);
        serverCnx.handleLookup(commandLookupTopic);
        ((AuthorizationService) Mockito.verify(authorizationService, Mockito.times(1))).allowTopicOperationAsync(topicName, TopicOperation.LOOKUP, "client", serverCnx.getAuthData());
        CommandProducer commandProducer = new CommandProducer();
        commandProducer.setRequestId(1L);
        commandProducer.setProducerId(1L);
        commandProducer.setProducerName("test-producer");
        commandProducer.setTopic(topicName.toString());
        serverCnx.handleProducer(commandProducer);
        ((AuthorizationService) Mockito.verify(authorizationService, Mockito.times(1))).allowTopicOperationAsync(topicName, TopicOperation.PRODUCE, "client", serverCnx.getAuthData());
        CommandSubscribe commandSubscribe = new CommandSubscribe();
        commandSubscribe.setTopic(topicName.toString());
        commandSubscribe.setRequestId(1L);
        commandSubscribe.setConsumerId(1L);
        commandSubscribe.setSubscription("test-subscribe");
        commandSubscribe.setSubType(CommandSubscribe.SubType.Shared);
        serverCnx.handleSubscribe(commandSubscribe);
        ((AuthorizationService) Mockito.verify(authorizationService, Mockito.times(1))).allowTopicOperationAsync((TopicName) ArgumentMatchers.eq(topicName), (TopicOperation) ArgumentMatchers.eq(TopicOperation.CONSUME), (String) ArgumentMatchers.eq("client"), (AuthenticationDataSource) ArgumentMatchers.argThat(authenticationDataSource -> {
            Assert.assertTrue(authenticationDataSource instanceof AuthenticationDataSubscription);
            try {
                Assert.assertEquals(authenticationDataSource.getCommandData(), authenticationToken.getAuthData().getCommandData());
            } catch (PulsarClientException e) {
                Assert.fail(e.getMessage());
            }
            Assert.assertEquals(authenticationDataSource.getSubscription(), "test-subscribe");
            return true;
        }));
    }
}
