package com.floragunn.searchguard.enterprise.dlsfls;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.Parser;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.actions.Action;
import com.floragunn.searchguard.authz.actions.ActionRequestIntrospector;
import com.floragunn.searchguard.authz.config.Role;
import com.floragunn.searchguard.configuration.CType;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldAuthorization;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.cstate.metrics.Meter;
import com.floragunn.searchsupport.cstate.metrics.MetricsLevel;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldAuthorizationTest.class */
public class RoleBasedFieldAuthorizationTest {
    @Test
    public void getFlsRule_template() throws Exception {
        RoleBasedFieldAuthorization roleBasedFieldAuthorization = new RoleBasedFieldAuthorization(SgDynamicConfiguration.of(CType.ROLES, "role", (Role) Role.parse(DocNode.of("index_permissions", DocNode.array(new Object[]{DocNode.of("index_patterns", "index_${user.attrs.a}", "fls", DocNode.array(new Object[]{"allowed_a", "allowed_b"}))})), (Parser.Context) null).get()), ImmutableSet.of("index_value_of_a", "another_index"), MetricsLevel.NONE);
        PrivilegesEvaluationContext privilegesEvaluationContext = new PrivilegesEvaluationContext(new User.Builder().name("test_user").attribute("a", "value_of_a").build(), ImmutableSet.of("role"), (Action) null, roleBasedFieldAuthorization, false, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
        RoleBasedFieldAuthorization.FlsRule flsRule = roleBasedFieldAuthorization.getFlsRule(privilegesEvaluationContext, "index_value_of_a", Meter.NO_OP);
        Assert.assertTrue(flsRule.toString(), flsRule.isAllowed("allowed_a"));
        Assert.assertTrue(flsRule.toString(), flsRule.isAllowed("allowed_b"));
        Assert.assertFalse(flsRule.toString(), flsRule.isAllowed("allowed_c"));
        RoleBasedFieldAuthorization.FlsRule flsRule2 = roleBasedFieldAuthorization.getFlsRule(privilegesEvaluationContext, "another_index", Meter.NO_OP);
        Assert.assertTrue(flsRule2.toString(), flsRule2.isAllowed("allowed_a"));
        Assert.assertTrue(flsRule2.toString(), flsRule2.isAllowed("allowed_b"));
        Assert.assertTrue(flsRule2.toString(), flsRule2.isAllowed("allowed_c"));
    }

    @Test
    public void getFlsRule_negation() throws Exception {
        RoleBasedFieldAuthorization roleBasedFieldAuthorization = new RoleBasedFieldAuthorization(SgDynamicConfiguration.of(CType.ROLES, "role", (Role) Role.parse(DocNode.of("index_permissions", DocNode.array(new Object[]{DocNode.of("index_patterns", DocNode.array(new Object[]{"index_abc*", "-index_abcd"}), "fls", DocNode.array(new Object[]{"allowed_a", "allowed_b"}))})), (Parser.Context) null).get()), ImmutableSet.of("index_abc", "index_abcd"), MetricsLevel.NONE);
        PrivilegesEvaluationContext privilegesEvaluationContext = new PrivilegesEvaluationContext(new User.Builder().name("test_user").build(), ImmutableSet.of("role"), (Action) null, roleBasedFieldAuthorization, false, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
        RoleBasedFieldAuthorization.FlsRule flsRule = roleBasedFieldAuthorization.getFlsRule(privilegesEvaluationContext, "index_abc", Meter.NO_OP);
        Assert.assertTrue(flsRule.toString(), flsRule.isAllowed("allowed_a"));
        Assert.assertTrue(flsRule.toString(), flsRule.isAllowed("allowed_b"));
        Assert.assertFalse(flsRule.toString(), flsRule.isAllowed("allowed_c"));
        RoleBasedFieldAuthorization.FlsRule flsRule2 = roleBasedFieldAuthorization.getFlsRule(privilegesEvaluationContext, "index_abcd", Meter.NO_OP);
        Assert.assertTrue(flsRule2.toString(), flsRule2.isAllowed("allowed_a"));
        Assert.assertTrue(flsRule2.toString(), flsRule2.isAllowed("allowed_b"));
        Assert.assertTrue(flsRule2.toString(), flsRule2.isAllowed("allowed_c"));
    }

    @Test
    public void getFlsRule_templateAndNegation() throws Exception {
        RoleBasedFieldAuthorization roleBasedFieldAuthorization = new RoleBasedFieldAuthorization(SgDynamicConfiguration.of(CType.ROLES, "role", (Role) Role.parse(DocNode.of("index_permissions", DocNode.array(new Object[]{DocNode.of("index_patterns", DocNode.array(new Object[]{"index_${user.attrs.a}*", "-index_abcd"}), "fls", DocNode.array(new Object[]{"allowed_a", "allowed_b"}))})), (Parser.Context) null).get()), ImmutableSet.of("index_abc", "index_abcd"), MetricsLevel.NONE);
        PrivilegesEvaluationContext privilegesEvaluationContext = new PrivilegesEvaluationContext(new User.Builder().name("test_user").attribute("a", "abc").build(), ImmutableSet.of("role"), (Action) null, roleBasedFieldAuthorization, false, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
        RoleBasedFieldAuthorization.FlsRule flsRule = roleBasedFieldAuthorization.getFlsRule(privilegesEvaluationContext, "index_abc", Meter.NO_OP);
        Assert.assertTrue(flsRule.toString(), flsRule.isAllowed("allowed_a"));
        Assert.assertTrue(flsRule.toString(), flsRule.isAllowed("allowed_b"));
        Assert.assertFalse(flsRule.toString(), flsRule.isAllowed("allowed_c"));
        RoleBasedFieldAuthorization.FlsRule flsRule2 = roleBasedFieldAuthorization.getFlsRule(privilegesEvaluationContext, "index_abcd", Meter.NO_OP);
        Assert.assertTrue(flsRule2.toString(), flsRule2.isAllowed("allowed_a"));
        Assert.assertTrue(flsRule2.toString(), flsRule2.isAllowed("allowed_b"));
        Assert.assertTrue(flsRule2.toString(), flsRule2.isAllowed("allowed_c"));
    }

    @Test
    public void getFlsRule_wildcardRule() throws Exception {
        RoleBasedFieldAuthorization roleBasedFieldAuthorization = new RoleBasedFieldAuthorization(SgDynamicConfiguration.of(CType.ROLES, "role_with_wildcard_fls", (Role) Role.parse(DocNode.of("index_permissions", DocNode.array(new Object[]{DocNode.of("index_patterns", "*", "fls", DocNode.array(new Object[]{"wildcard_allowed_a", "wildcard_allowed_b"}))})), (Parser.Context) null).get(), "role_without_wildcard_fls", (Role) Role.parse(DocNode.of("index_permissions", DocNode.array(new Object[]{DocNode.of("index_patterns", "another_index", "fls", DocNode.array(new Object[]{"allowed_x", "allowed_y"}))})), (Parser.Context) null).get()), ImmutableSet.of("one_index", "another_index"), MetricsLevel.NONE);
        PrivilegesEvaluationContext privilegesEvaluationContext = new PrivilegesEvaluationContext(new User.Builder().name("test_user").build(), ImmutableSet.of("role_with_wildcard_fls"), (Action) null, roleBasedFieldAuthorization, false, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
        RoleBasedFieldAuthorization.FlsRule flsRule = roleBasedFieldAuthorization.getFlsRule(privilegesEvaluationContext, "one_index", Meter.NO_OP);
        Assert.assertTrue(flsRule.toString(), flsRule.isAllowed("wildcard_allowed_a"));
        Assert.assertTrue(flsRule.toString(), flsRule.isAllowed("wildcard_allowed_b"));
        Assert.assertFalse(flsRule.toString(), flsRule.isAllowed("allowed_x"));
        RoleBasedFieldAuthorization.FlsRule flsRule2 = roleBasedFieldAuthorization.getFlsRule(privilegesEvaluationContext, "another_index", Meter.NO_OP);
        Assert.assertTrue(flsRule2.toString(), flsRule2.isAllowed("wildcard_allowed_a"));
        Assert.assertTrue(flsRule2.toString(), flsRule2.isAllowed("wildcard_allowed_b"));
        Assert.assertFalse(flsRule2.toString(), flsRule2.isAllowed("allowed_x"));
        PrivilegesEvaluationContext privilegesEvaluationContext2 = new PrivilegesEvaluationContext(new User.Builder().name("test_user").build(), ImmutableSet.of("role_without_wildcard_fls"), (Action) null, roleBasedFieldAuthorization, false, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
        RoleBasedFieldAuthorization.FlsRule flsRule3 = roleBasedFieldAuthorization.getFlsRule(privilegesEvaluationContext2, "one_index", Meter.NO_OP);
        Assert.assertTrue(flsRule3.toString(), flsRule3.isAllowed("wildcard_allowed_a"));
        Assert.assertTrue(flsRule3.toString(), flsRule3.isAllowed("wildcard_allowed_b"));
        Assert.assertTrue(flsRule3.toString(), flsRule3.isAllowed("allowed_x"));
        RoleBasedFieldAuthorization.FlsRule flsRule4 = roleBasedFieldAuthorization.getFlsRule(privilegesEvaluationContext2, "another_index", Meter.NO_OP);
        Assert.assertFalse(flsRule4.toString(), flsRule4.isAllowed("wildcard_allowed_a"));
        Assert.assertFalse(flsRule4.toString(), flsRule4.isAllowed("wildcard_allowed_b"));
        Assert.assertTrue(flsRule4.toString(), flsRule4.isAllowed("allowed_x"));
        Assert.assertTrue(flsRule4.toString(), flsRule4.isAllowed("allowed_y"));
    }

    @Test
    public void getFlsRule_multiRule() throws Exception {
        RoleBasedFieldAuthorization roleBasedFieldAuthorization = new RoleBasedFieldAuthorization(SgDynamicConfiguration.of(CType.ROLES, "role_a", (Role) Role.parse(DocNode.of("index_permissions", DocNode.array(new Object[]{DocNode.of("index_patterns", "one_index", "fls", DocNode.array(new Object[]{"allowed_a", "allowed_b"}))})), (Parser.Context) null).get(), "role_b", (Role) Role.parse(DocNode.of("index_permissions", DocNode.array(new Object[]{DocNode.of("index_patterns", "one_index", "fls", DocNode.array(new Object[]{"allowed_c"}))})), (Parser.Context) null).get()), ImmutableSet.of("one_index", "another_index"), MetricsLevel.NONE);
        RoleBasedFieldAuthorization.FlsRule flsRule = roleBasedFieldAuthorization.getFlsRule(new PrivilegesEvaluationContext(new User.Builder().name("test_user").build(), ImmutableSet.of("role_a", "role_b"), (Action) null, roleBasedFieldAuthorization, false, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null), "one_index", Meter.NO_OP);
        Assert.assertTrue(flsRule.toString(), flsRule.isAllowed("allowed_a"));
        Assert.assertTrue(flsRule.toString(), flsRule.isAllowed("allowed_b"));
        Assert.assertTrue(flsRule.toString(), flsRule.isAllowed("allowed_c"));
        Assert.assertFalse(flsRule.toString(), flsRule.isAllowed("allowed_d"));
    }

    @Test
    public void getFlsRule_multiRule_exclusion() throws Exception {
        RoleBasedFieldAuthorization roleBasedFieldAuthorization = new RoleBasedFieldAuthorization(SgDynamicConfiguration.of(CType.ROLES, "role_a", (Role) Role.parse(DocNode.of("index_permissions", DocNode.array(new Object[]{DocNode.of("index_patterns", "one_index", "fls", DocNode.array(new Object[]{"~denied_a", "~denied_b"}))})), (Parser.Context) null).get(), "role_b", (Role) Role.parse(DocNode.of("index_permissions", DocNode.array(new Object[]{DocNode.of("index_patterns", "one_index", "fls", DocNode.array(new Object[]{"~denied_b", "~denied_c"}))})), (Parser.Context) null).get()), ImmutableSet.of("one_index", "another_index"), MetricsLevel.NONE);
        RoleBasedFieldAuthorization.FlsRule flsRule = roleBasedFieldAuthorization.getFlsRule(new PrivilegesEvaluationContext(new User.Builder().name("test_user").build(), ImmutableSet.of("role_a", "role_b"), (Action) null, roleBasedFieldAuthorization, false, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null), "one_index", Meter.NO_OP);
        Assert.assertTrue(flsRule.toString(), flsRule.isAllowed("denied_a"));
        Assert.assertFalse(flsRule.toString(), flsRule.isAllowed("denied_b"));
        Assert.assertTrue(flsRule.toString(), flsRule.isAllowed("denied_c"));
        RoleBasedFieldAuthorization.FlsRule flsRule2 = roleBasedFieldAuthorization.getFlsRule(new PrivilegesEvaluationContext(new User.Builder().name("test_user").build(), ImmutableSet.of("role_a"), (Action) null, roleBasedFieldAuthorization, false, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null), "one_index", Meter.NO_OP);
        Assert.assertFalse(flsRule2.toString(), flsRule2.isAllowed("denied_a"));
        Assert.assertFalse(flsRule2.toString(), flsRule2.isAllowed("denied_b"));
        Assert.assertTrue(flsRule2.toString(), flsRule2.isAllowed("denied_c"));
    }

    @Test
    public void hasFlsRestriction_template() throws Exception {
        RoleBasedFieldAuthorization roleBasedFieldAuthorization = new RoleBasedFieldAuthorization(SgDynamicConfiguration.of(CType.ROLES, "role", (Role) Role.parse(DocNode.of("index_permissions", DocNode.array(new Object[]{DocNode.of("index_patterns", "index_${user.attrs.a}", "fls", DocNode.array(new Object[]{"allowed_a", "allowed_b"}))})), (Parser.Context) null).get()), ImmutableSet.of("index_value_of_a", "another_index"), MetricsLevel.NONE);
        PrivilegesEvaluationContext privilegesEvaluationContext = new PrivilegesEvaluationContext(new User.Builder().name("test_user").attribute("a", "value_of_a").build(), ImmutableSet.of("role"), (Action) null, roleBasedFieldAuthorization, false, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
        Assert.assertTrue(roleBasedFieldAuthorization.toString(), roleBasedFieldAuthorization.hasFlsRestrictions(privilegesEvaluationContext, "index_value_of_a", Meter.NO_OP));
        Assert.assertFalse(roleBasedFieldAuthorization.toString(), roleBasedFieldAuthorization.hasFlsRestrictions(privilegesEvaluationContext, "another_index", Meter.NO_OP));
    }

    @Test
    public void hasFlsRestriction_templateAndNegation() throws Exception {
        RoleBasedFieldAuthorization roleBasedFieldAuthorization = new RoleBasedFieldAuthorization(SgDynamicConfiguration.of(CType.ROLES, "role", (Role) Role.parse(DocNode.of("index_permissions", DocNode.array(new Object[]{DocNode.of("index_patterns", DocNode.array(new Object[]{"index_${user.attrs.a}*", "-index_abcd"}), "fls", DocNode.array(new Object[]{"allowed_a", "allowed_b"}))})), (Parser.Context) null).get()), ImmutableSet.of("index_abc", "index_abcd"), MetricsLevel.NONE);
        PrivilegesEvaluationContext privilegesEvaluationContext = new PrivilegesEvaluationContext(new User.Builder().name("test_user").attribute("a", "abc").build(), ImmutableSet.of("role"), (Action) null, roleBasedFieldAuthorization, false, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
        Assert.assertTrue(roleBasedFieldAuthorization.toString(), roleBasedFieldAuthorization.hasFlsRestrictions(privilegesEvaluationContext, "index_abc", Meter.NO_OP));
        Assert.assertFalse(roleBasedFieldAuthorization.toString(), roleBasedFieldAuthorization.hasFlsRestrictions(privilegesEvaluationContext, "index_abcd", Meter.NO_OP));
    }

    @Test
    public void hasFlsRestriction_negation() throws Exception {
        RoleBasedFieldAuthorization roleBasedFieldAuthorization = new RoleBasedFieldAuthorization(SgDynamicConfiguration.of(CType.ROLES, "role", (Role) Role.parse(DocNode.of("index_permissions", DocNode.array(new Object[]{DocNode.of("index_patterns", DocNode.array(new Object[]{"index_abc*", "-index_abcd"}), "fls", DocNode.array(new Object[]{"allowed_a", "allowed_b"}))})), (Parser.Context) null).get()), ImmutableSet.of("index_abc", "index_abcd"), MetricsLevel.NONE);
        PrivilegesEvaluationContext privilegesEvaluationContext = new PrivilegesEvaluationContext(new User.Builder().name("test_user").build(), ImmutableSet.of("role"), (Action) null, roleBasedFieldAuthorization, false, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
        Assert.assertTrue(roleBasedFieldAuthorization.toString(), roleBasedFieldAuthorization.hasFlsRestrictions(privilegesEvaluationContext, "index_abc", Meter.NO_OP));
        Assert.assertFalse(roleBasedFieldAuthorization.toString(), roleBasedFieldAuthorization.hasFlsRestrictions(privilegesEvaluationContext, "index_abcd", Meter.NO_OP));
    }

    @Test
    public void hasFlsRestriction_wildcardRule() throws Exception {
        RoleBasedFieldAuthorization roleBasedFieldAuthorization = new RoleBasedFieldAuthorization(SgDynamicConfiguration.of(CType.ROLES, "role_with_wildcard_fls", (Role) Role.parse(DocNode.of("index_permissions", DocNode.array(new Object[]{DocNode.of("index_patterns", "*", "fls", DocNode.array(new Object[]{"wildcard_allowed_a", "wildcard_allowed_b"}))})), (Parser.Context) null).get(), "role_without_wildcard_fls", (Role) Role.parse(DocNode.of("index_permissions", DocNode.array(new Object[]{DocNode.of("index_patterns", "another_index", "fls", DocNode.array(new Object[]{"allowed_x", "allowed_y"}))})), (Parser.Context) null).get()), ImmutableSet.of("one_index", "another_index"), MetricsLevel.NONE);
        PrivilegesEvaluationContext privilegesEvaluationContext = new PrivilegesEvaluationContext(new User.Builder().name("test_user").build(), ImmutableSet.of("role_with_wildcard_fls"), (Action) null, roleBasedFieldAuthorization, false, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
        Assert.assertTrue(roleBasedFieldAuthorization.toString(), roleBasedFieldAuthorization.hasFlsRestrictions(privilegesEvaluationContext, "one_index", Meter.NO_OP));
        Assert.assertTrue(roleBasedFieldAuthorization.toString(), roleBasedFieldAuthorization.hasFlsRestrictions(privilegesEvaluationContext, "another_index", Meter.NO_OP));
        PrivilegesEvaluationContext privilegesEvaluationContext2 = new PrivilegesEvaluationContext(new User.Builder().name("test_user").build(), ImmutableSet.of("role_without_wildcard_fls"), (Action) null, roleBasedFieldAuthorization, false, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
        Assert.assertFalse(roleBasedFieldAuthorization.toString(), roleBasedFieldAuthorization.hasFlsRestrictions(privilegesEvaluationContext2, "one_index", Meter.NO_OP));
        Assert.assertTrue(roleBasedFieldAuthorization.toString(), roleBasedFieldAuthorization.hasFlsRestrictions(privilegesEvaluationContext2, "another_index", Meter.NO_OP));
    }
}
