package com.floragunn.searchguard.enterprise.dlsfls;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.cluster.JavaSecurityTestSetup;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.floragunn.searchsupport.junit.matcher.DocNodeMatchers;
import java.util.Arrays;
import org.apache.http.Header;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.client.Client;
import org.elasticsearch.xcontent.XContentType;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/FlsKeywordTest.class */
public class FlsKeywordTest {
    public static final String AUTHOR_GOETHE = "Goethe";
    private static final Logger log = LogManager.getLogger(FlsKeywordTest.class);
    public static final String FIELD_TITLE = "title";
    public static final String FIELD_TITLE_KEYWORD = "title.keyword";
    public static final String FIELD_CONTENT = "content";
    public static final String FIELD_CONTENT_KEYWORD = "content.keyword";
    public static final String FIELD_AUTHOR = "author";
    public static final String FIELD_AUTHOR_KEYWORD = "author.keyword";
    public static final String MATCH_ALL_QUERY_WITH_FIELDS = DocNode.of("query", DocNode.of("match_all", DocNode.EMPTY), "fields", Arrays.asList(FIELD_TITLE, FIELD_TITLE_KEYWORD, FIELD_CONTENT, FIELD_CONTENT_KEYWORD, FIELD_AUTHOR, FIELD_AUTHOR_KEYWORD), "_source", false).toJsonString();
    public static final String AUTHOR_AGGREGATION_NAME = "author-aggregation";
    public static final String AGGREGATION_BY_AUTHOR_QUERY = DocNode.of("size", 0, "aggs", DocNode.of(AUTHOR_AGGREGATION_NAME, DocNode.of("terms", DocNode.of("field", FIELD_AUTHOR_KEYWORD)))).toJsonString();

    @ClassRule
    public static JavaSecurityTestSetup javaSecurity = new JavaSecurityTestSetup();
    static final TestSgConfig.Authc AUTHC = new TestSgConfig.Authc(new TestSgConfig.Authc.Domain[]{new TestSgConfig.Authc.Domain("basic/internal_users_db")});
    static final TestSgConfig.DlsFls DLSFLS = new TestSgConfig.DlsFls().useImpl("flx").metrics("detailed");
    public static final String DOCUMENTS_INDEX_NAME = "documents";
    private static TestSgConfig.Role DOCUMENT_READER_ROLE = new TestSgConfig.Role("document_reader_role").clusterPermissions(new String[]{"*"}).indexPermissions(new String[]{"indices:data/read/search"}).on(new String[]{DOCUMENTS_INDEX_NAME});
    private static TestSgConfig.Role DOCUMENT_READER_EXCEPT_AUTHOR_ROLE = new TestSgConfig.Role("document_reader_except_author_role").clusterPermissions(new String[]{"*"}).indexPermissions(new String[]{"indices:data/read/search"}).fls(new String[]{"~author"}).on(new String[]{DOCUMENTS_INDEX_NAME});
    private static TestSgConfig.Role DOCUMENT_TITLE_READER_ROLE = new TestSgConfig.Role("document_title_reader_role").clusterPermissions(new String[]{"*"}).indexPermissions(new String[]{"indices:data/read/search"}).fls(new String[]{FIELD_TITLE}).on(new String[]{DOCUMENTS_INDEX_NAME});
    private static TestSgConfig.User DOCUMENT_READER_USER = new TestSgConfig.User("document_reader_user").roles(new String[]{DOCUMENT_READER_ROLE.getName()});
    private static TestSgConfig.User DOCUMENT_READER_EXCEPT_AUTHOR_USER = new TestSgConfig.User("document_reader_except_author_user").roles(new String[]{DOCUMENT_READER_EXCEPT_AUTHOR_ROLE.getName()});
    private static TestSgConfig.User DOCUMENT_TITLE_READER_USER = new TestSgConfig.User("document_title_reader_user").roles(new String[]{DOCUMENT_TITLE_READER_ROLE.getName()});

    @ClassRule
    public static LocalCluster cluster = new LocalCluster.Builder().sslEnabled().enterpriseModulesEnabled().authc(AUTHC).dlsFls(DLSFLS).roles(new TestSgConfig.Role[]{DOCUMENT_READER_ROLE, DOCUMENT_READER_EXCEPT_AUTHOR_ROLE, DOCUMENT_TITLE_READER_ROLE}).users(new TestSgConfig.User[]{DOCUMENT_READER_USER, DOCUMENT_READER_EXCEPT_AUTHOR_USER, DOCUMENT_TITLE_READER_USER}).build();

    @BeforeClass
    public static void populateData() {
        Client privilegedInternalNodeClient = cluster.getPrivilegedInternalNodeClient();
        try {
            privilegedInternalNodeClient.index(new IndexRequest(DOCUMENTS_INDEX_NAME).id("0").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(DocNode.of(FIELD_TITLE, "accessible document title", FIELD_CONTENT, "document content", FIELD_AUTHOR, AUTHOR_GOETHE).toJsonString(), XContentType.JSON)).actionGet();
            if (privilegedInternalNodeClient != null) {
                privilegedInternalNodeClient.close();
            }
        } catch (Throwable th) {
            if (privilegedInternalNodeClient != null) {
                try {
                    privilegedInternalNodeClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldAccessAuthorFieldDuringRegularSearch() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(DOCUMENT_READER_USER, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/documents/_search", new Header[0]);
            MatcherAssert.assertThat(Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(200));
            MatcherAssert.assertThat(httpResponse.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("hits.hits[0]._source", FIELD_AUTHOR));
            MatcherAssert.assertThat(httpResponse.getBodyAsDocNode(), DocNodeMatchers.containsValue("hits.hits[0]._source.author", AUTHOR_GOETHE));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldNotAccessAuthorFieldWhenUserIsLackingFlPermission() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(DOCUMENT_READER_EXCEPT_AUTHOR_USER, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/documents/_search", new Header[0]);
            MatcherAssert.assertThat(Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(200));
            MatcherAssert.assertThat(httpResponse.getBodyAsDocNode(), Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("hits.hits[0]._source", FIELD_AUTHOR)));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldReadWholeDocument() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(DOCUMENT_READER_USER, new Header[0]);
        try {
            GenericRestClient.HttpResponse postJson = restClient.postJson("/documents/_search", MATCH_ALL_QUERY_WITH_FIELDS, new Header[0]);
            MatcherAssert.assertThat(Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("hits.hits[0].fields", FIELD_TITLE));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("hits.hits[0].fields", FIELD_TITLE_KEYWORD));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("hits.hits[0].fields", FIELD_CONTENT));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("hits.hits[0].fields", FIELD_CONTENT_KEYWORD));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.docNodeSizeEqualTo("hits.hits[0].fields", 6));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldReadOnlyTitleFromDocument() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(DOCUMENT_TITLE_READER_USER, new Header[0]);
        try {
            GenericRestClient.HttpResponse postJson = restClient.postJson("/documents/_search", MATCH_ALL_QUERY_WITH_FIELDS, new Header[0]);
            MatcherAssert.assertThat(Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("hits.hits[0].fields", FIELD_TITLE));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("hits.hits[0].fields", FIELD_TITLE_KEYWORD));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("hits.hits[0].fields", FIELD_CONTENT)));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("hits.hits[0].fields", FIELD_CONTENT_KEYWORD)));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.docNodeSizeEqualTo("hits.hits[0].fields", 2));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldReadEverythingBesidesAuthor() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(DOCUMENT_READER_EXCEPT_AUTHOR_USER, new Header[0]);
        try {
            GenericRestClient.HttpResponse postJson = restClient.postJson("/documents/_search", MATCH_ALL_QUERY_WITH_FIELDS, new Header[0]);
            MatcherAssert.assertThat(Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("hits.hits[0].fields", FIELD_TITLE));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("hits.hits[0].fields", FIELD_TITLE_KEYWORD));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("hits.hits[0].fields", FIELD_CONTENT));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("hits.hits[0].fields", FIELD_CONTENT_KEYWORD));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("hits.hits[0].fields", FIELD_AUTHOR)));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("hits.hits[0].fields", FIELD_AUTHOR_KEYWORD)));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.docNodeSizeEqualTo("hits.hits[0].fields", 4));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldPerformAggregationByAuthorKeyword() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(DOCUMENT_READER_USER, new Header[0]);
        try {
            GenericRestClient.HttpResponse postJson = restClient.postJson("/documents/_search", AGGREGATION_BY_AUTHOR_QUERY, new Header[0]);
            MatcherAssert.assertThat(Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            log.info("Response should contain value of field author '{}'", postJson.getBody());
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("aggregations.author-aggregation.buckets[0]", "key"));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldNotPerformAggregationByAuthorKeywordWhenAccessToTheFieldIsLacking() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(DOCUMENT_TITLE_READER_USER, new Header[0]);
        try {
            GenericRestClient.HttpResponse postJson = restClient.postJson("/documents/_search", AGGREGATION_BY_AUTHOR_QUERY, new Header[0]);
            MatcherAssert.assertThat(Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            log.info("Response should NOT contain value of field author '{}'", postJson.getBody());
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("aggregations.author-aggregation.buckets[0]", "key")));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.docNodeSizeEqualTo("aggregations.author-aggregation.buckets", 0));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldNotPerformAggregationByAuthorKeywordWhenAccessToTheFieldIsNegated() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(DOCUMENT_READER_EXCEPT_AUTHOR_USER, new Header[0]);
        try {
            GenericRestClient.HttpResponse postJson = restClient.postJson("/documents/_search", AGGREGATION_BY_AUTHOR_QUERY, new Header[0]);
            MatcherAssert.assertThat(Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            log.info("Response should NOT contain value of field author '{}'", postJson.getBody());
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("aggregations.author-aggregation.buckets[0]", "key")));
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.docNodeSizeEqualTo("aggregations.author-aggregation.buckets", 0));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldCheckFlsForEachRequestForEachUser() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(DOCUMENT_READER_USER, new Header[0]);
        try {
            GenericRestClient.HttpResponse postJson = restClient.postJson("/documents/_search", AGGREGATION_BY_AUTHOR_QUERY, new Header[0]);
            MatcherAssert.assertThat(Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            log.info("Response should contain value of field author '{}'", postJson.getBody());
            MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("aggregations.author-aggregation.buckets[0]", "key"));
            if (restClient != null) {
                restClient.close();
            }
            restClient = cluster.getRestClient(DOCUMENT_READER_EXCEPT_AUTHOR_USER, new Header[0]);
            try {
                GenericRestClient.HttpResponse postJson2 = restClient.postJson("/documents/_search", AGGREGATION_BY_AUTHOR_QUERY, new Header[0]);
                MatcherAssert.assertThat(Integer.valueOf(postJson2.getStatusCode()), Matchers.equalTo(200));
                MatcherAssert.assertThat(postJson2.getBodyAsDocNode(), Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("aggregations.author-aggregation.buckets[0]", "key")));
                MatcherAssert.assertThat(postJson2.getBodyAsDocNode(), DocNodeMatchers.docNodeSizeEqualTo("aggregations.author-aggregation.buckets", 0));
                if (restClient != null) {
                    restClient.close();
                }
            } finally {
            }
        } finally {
        }
    }
}
