package com.floragunn.searchguard.enterprise.dlsfls;

import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.actions.Action;
import com.floragunn.searchguard.authz.actions.ActionRequestIntrospector;
import com.floragunn.searchguard.authz.config.Role;
import com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldAuthorization;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.cstate.metrics.Meter;
import com.floragunn.searchsupport.cstate.metrics.MetricsLevel;
import com.floragunn.searchsupport.meta.Meta;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Suite;

@RunWith(Suite.class)
@Suite.SuiteClasses({FlsRule.class, IndicesAndAliases_getRestriction.class})
/* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldAuthorizationTest.class */
public class RoleBasedFieldAuthorizationTest {

    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldAuthorizationTest$FlsRule.class */
    public static class FlsRule {
        @Test
        public void singleRole_empty() throws Exception {
            RoleBasedFieldAuthorization.FlsRule.SingleRole singleRole = new RoleBasedFieldAuthorization.FlsRule.SingleRole((Role.Index) new TestSgConfig.Role("role").indexPermissions(new String[]{"*"}).on(new String[]{"*"}).toActualRole().getIndexPermissions().get(0));
            Assert.assertTrue(singleRole.toString(), singleRole.isAllowAll());
        }

        @Test
        public void singleRole_simple_positive() throws Exception {
            RoleBasedFieldAuthorization.FlsRule.SingleRole singleRole = new RoleBasedFieldAuthorization.FlsRule.SingleRole((Role.Index) new TestSgConfig.Role("role").indexPermissions(new String[]{"*"}).fls(new String[]{"a", "b"}).on(new String[]{"*"}).toActualRole().getIndexPermissions().get(0));
            Assert.assertFalse(singleRole.toString(), singleRole.isAllowAll());
            Assert.assertTrue(singleRole.toString(), singleRole.isAllowed("a"));
            Assert.assertTrue(singleRole.toString(), singleRole.isAllowed("b"));
            Assert.assertFalse(singleRole.toString(), singleRole.isAllowed("c"));
            Assert.assertFalse(singleRole.toString(), singleRole.isAllowed("aa"));
        }

        @Test
        public void singleRole_pattern_positive() throws Exception {
            RoleBasedFieldAuthorization.FlsRule.SingleRole singleRole = new RoleBasedFieldAuthorization.FlsRule.SingleRole((Role.Index) new TestSgConfig.Role("role").indexPermissions(new String[]{"*"}).fls(new String[]{"a*", "b*"}).on(new String[]{"*"}).toActualRole().getIndexPermissions().get(0));
            Assert.assertFalse(singleRole.toString(), singleRole.isAllowAll());
            Assert.assertTrue(singleRole.toString(), singleRole.isAllowed("a"));
            Assert.assertTrue(singleRole.toString(), singleRole.isAllowed("b"));
            Assert.assertFalse(singleRole.toString(), singleRole.isAllowed("c"));
            Assert.assertTrue(singleRole.toString(), singleRole.isAllowed("aa"));
        }

        @Test
        public void singleRole_pattern_negation() throws Exception {
            RoleBasedFieldAuthorization.FlsRule.SingleRole singleRole = new RoleBasedFieldAuthorization.FlsRule.SingleRole((Role.Index) new TestSgConfig.Role("role").indexPermissions(new String[]{"*"}).fls(new String[]{"~a*", "~b*"}).on(new String[]{"*"}).toActualRole().getIndexPermissions().get(0));
            Assert.assertFalse(singleRole.toString(), singleRole.isAllowAll());
            Assert.assertFalse(singleRole.toString(), singleRole.isAllowed("a"));
            Assert.assertFalse(singleRole.toString(), singleRole.isAllowed("b"));
            Assert.assertTrue(singleRole.toString(), singleRole.isAllowed("c"));
            Assert.assertFalse(singleRole.toString(), singleRole.isAllowed("aa"));
        }

        @Test
        public void singleRole_full_negation() throws Exception {
            RoleBasedFieldAuthorization.FlsRule.SingleRole singleRole = new RoleBasedFieldAuthorization.FlsRule.SingleRole((Role.Index) new TestSgConfig.Role("role").indexPermissions(new String[]{"*"}).fls(new String[]{"~*"}).on(new String[]{"*"}).toActualRole().getIndexPermissions().get(0));
            Assert.assertFalse(singleRole.toString(), singleRole.isAllowAll());
            Assert.assertFalse(singleRole.toString(), singleRole.isAllowed("a"));
            Assert.assertFalse(singleRole.toString(), singleRole.isAllowed(""));
        }

        @Test
        public void singleRole_mixed() throws Exception {
            RoleBasedFieldAuthorization.FlsRule.SingleRole singleRole = new RoleBasedFieldAuthorization.FlsRule.SingleRole((Role.Index) new TestSgConfig.Role("role").indexPermissions(new String[]{"*"}).fls(new String[]{"a*", "~a1*"}).on(new String[]{"*"}).toActualRole().getIndexPermissions().get(0));
            Assert.assertFalse(singleRole.toString(), singleRole.isAllowAll());
            Assert.assertTrue(singleRole.toString(), singleRole.isAllowed("a"));
            Assert.assertTrue(singleRole.toString(), singleRole.isAllowed("a2"));
            Assert.assertFalse(singleRole.toString(), singleRole.isAllowed("a1"));
            Assert.assertFalse(singleRole.toString(), singleRole.isAllowed("b"));
        }

        @Test
        public void multiRole_simple_positive() throws Exception {
            RoleBasedFieldAuthorization.FlsRule.MultiRole multiRole = new RoleBasedFieldAuthorization.FlsRule.MultiRole(ImmutableList.of(new RoleBasedFieldAuthorization.FlsRule.SingleRole((Role.Index) new TestSgConfig.Role("role1").indexPermissions(new String[]{"*"}).fls(new String[]{"a"}).on(new String[]{"*"}).toActualRole().getIndexPermissions().get(0)), new RoleBasedFieldAuthorization.FlsRule.SingleRole((Role.Index) new TestSgConfig.Role("role2").indexPermissions(new String[]{"*"}).fls(new String[]{"b"}).on(new String[]{"*"}).toActualRole().getIndexPermissions().get(0))));
            Assert.assertFalse(multiRole.toString(), multiRole.isAllowAll());
            Assert.assertTrue(multiRole.toString(), multiRole.isAllowed("a"));
            Assert.assertTrue(multiRole.toString(), multiRole.isAllowed("b"));
            Assert.assertFalse(multiRole.toString(), multiRole.isAllowed("c"));
            Assert.assertFalse(multiRole.toString(), multiRole.isAllowed("aa"));
        }

        @Test
        public void multiRole_simple_negative_distinct() throws Exception {
            RoleBasedFieldAuthorization.FlsRule.MultiRole multiRole = new RoleBasedFieldAuthorization.FlsRule.MultiRole(ImmutableList.of(new RoleBasedFieldAuthorization.FlsRule.SingleRole((Role.Index) new TestSgConfig.Role("role1").indexPermissions(new String[]{"*"}).fls(new String[]{"~a"}).on(new String[]{"*"}).toActualRole().getIndexPermissions().get(0)), new RoleBasedFieldAuthorization.FlsRule.SingleRole((Role.Index) new TestSgConfig.Role("role2").indexPermissions(new String[]{"*"}).fls(new String[]{"~b"}).on(new String[]{"*"}).toActualRole().getIndexPermissions().get(0))));
            Assert.assertTrue(multiRole.toString(), multiRole.isAllowed("a"));
            Assert.assertTrue(multiRole.toString(), multiRole.isAllowed("b"));
            Assert.assertTrue(multiRole.toString(), multiRole.isAllowed("c"));
            Assert.assertTrue(multiRole.toString(), multiRole.isAllowed("aa"));
        }

        @Test
        public void multiRole_pattern_negative_overlapping() throws Exception {
            RoleBasedFieldAuthorization.FlsRule.MultiRole multiRole = new RoleBasedFieldAuthorization.FlsRule.MultiRole(ImmutableList.of(new RoleBasedFieldAuthorization.FlsRule.SingleRole((Role.Index) new TestSgConfig.Role("role1").indexPermissions(new String[]{"*"}).fls(new String[]{"~a*"}).on(new String[]{"*"}).toActualRole().getIndexPermissions().get(0)), new RoleBasedFieldAuthorization.FlsRule.SingleRole((Role.Index) new TestSgConfig.Role("role2").indexPermissions(new String[]{"*"}).fls(new String[]{"~a1*"}).on(new String[]{"*"}).toActualRole().getIndexPermissions().get(0))));
            Assert.assertTrue(multiRole.toString(), multiRole.isAllowed("a"));
            Assert.assertTrue(multiRole.toString(), multiRole.isAllowed("a2"));
            Assert.assertFalse(multiRole.toString(), multiRole.isAllowed("a1"));
            Assert.assertFalse(multiRole.toString(), multiRole.isAllowed("a12"));
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldAuthorizationTest$IndicesAndAliases_getRestriction.class */
    public static class IndicesAndAliases_getRestriction {
        static final Meta META = Meta.Mock.indices(new String[]{"index_a1"});
        static final Meta.Index index_a1 = META.getIndexOrLike("index_a1");

        @Test
        public void wildcard() throws Exception {
            RoleBasedFieldAuthorization roleBasedFieldAuthorization = new RoleBasedFieldAuthorization(TestSgConfig.Role.toActualRole(new TestSgConfig.Role[]{new TestSgConfig.Role("restricted_role_1").indexPermissions(new String[]{"*"}).fls(new String[]{"a"}).on(new String[]{"*"}), new TestSgConfig.Role("restricted_role_2").indexPermissions(new String[]{"*"}).fls(new String[]{"b"}).on(new String[]{"*"}), new TestSgConfig.Role("non_restricted_role").indexPermissions(new String[]{"*"}).on(new String[]{"*"})}), META, MetricsLevel.NONE);
            RoleBasedFieldAuthorization.FlsRule flsRule = (RoleBasedFieldAuthorization.FlsRule) roleBasedFieldAuthorization.getRestriction(ctx("restricted_role_1"), index_a1, Meter.NO_OP);
            Assert.assertTrue(flsRule.toString(), flsRule.isAllowed("a"));
            Assert.assertFalse(flsRule.toString(), flsRule.isAllowed("b"));
            RoleBasedFieldAuthorization.FlsRule flsRule2 = (RoleBasedFieldAuthorization.FlsRule) roleBasedFieldAuthorization.getRestriction(ctx("restricted_role_2"), index_a1, Meter.NO_OP);
            Assert.assertFalse(flsRule2.toString(), flsRule2.isAllowed("a"));
            Assert.assertTrue(flsRule2.toString(), flsRule2.isAllowed("b"));
            RoleBasedFieldAuthorization.FlsRule flsRule3 = (RoleBasedFieldAuthorization.FlsRule) roleBasedFieldAuthorization.getRestriction(ctx("restricted_role_1", "restricted_role_2"), index_a1, Meter.NO_OP);
            Assert.assertTrue(flsRule3.toString(), flsRule3.isAllowed("a"));
            Assert.assertTrue(flsRule3.toString(), flsRule3.isAllowed("b"));
            RoleBasedFieldAuthorization.FlsRule flsRule4 = (RoleBasedFieldAuthorization.FlsRule) roleBasedFieldAuthorization.getRestriction(ctx("non_restricted_role"), index_a1, Meter.NO_OP);
            Assert.assertTrue(flsRule4.toString(), flsRule4.isAllowed("a"));
            Assert.assertTrue(flsRule4.toString(), flsRule4.isAllowed("b"));
            RoleBasedFieldAuthorization.FlsRule flsRule5 = (RoleBasedFieldAuthorization.FlsRule) roleBasedFieldAuthorization.getRestriction(ctx("restricted_role_1", "non_restricted_role"), index_a1, Meter.NO_OP);
            Assert.assertTrue(flsRule5.toString(), flsRule5.isAllowed("a"));
            Assert.assertTrue(flsRule5.toString(), flsRule5.isAllowed("b"));
        }

        private static PrivilegesEvaluationContext ctx(String... strArr) {
            return new PrivilegesEvaluationContext(new User.Builder().name("test_user").build(), false, ImmutableSet.ofArray(strArr), (Action) null, (Object) null, true, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
        }
    }
}
