package com.floragunn.searchguard.enterprise.dlsfls.int_tests;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.IndexApiMatchers;
import com.floragunn.searchguard.test.RestMatchers;
import com.floragunn.searchguard.test.TestAlias;
import com.floragunn.searchguard.test.TestData;
import com.floragunn.searchguard.test.TestIndex;
import com.floragunn.searchguard.test.TestIndexLike;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.floragunn.searchsupport.junit.matcher.DocNodeMatchers;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.apache.http.Header;
import org.hamcrest.MatcherAssert;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;

@RunWith(Parameterized.class)
/* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/int_tests/DlsReadOnlyIntTests.class */
public class DlsReadOnlyIntTests {
    static TestIndex index_1 = TestIndex.name("index_1").documentCount(100).seed(1).attr("prefix", "a").setting("index.number_of_shards", 5).build();
    static TestIndex index_2 = TestIndex.name("index_2").documentCount(110).seed(2).attr("prefix", "a").setting("index.number_of_shards", 5).build();
    static TestIndex index_3 = TestIndex.name("index_3").documentCount(51).seed(4).attr("prefix", "b").setting("index.number_of_shards", 5).build();
    static TestIndex index_hidden = TestIndex.name("index_hidden").documentCount(52).hidden().seed(8).attr("prefix", "h").build();
    static TestIndex user_dept_terms_lookup = TestIndex.name("user_dept_terms_lookup").documentCount(0).customDocument("limited_user_index_1_dept_D_terms_lookup", ImmutableMap.of("dept", "dept_d")).hidden().build();
    static TestAlias alias_1 = new TestAlias("alias_1", new TestIndexLike[]{index_1});
    static TestAlias alias_12 = new TestAlias("alias_12", new TestIndexLike[]{index_1, index_2});
    static TestSgConfig.User LIMITED_USER_INDEX_1_DEPT_A = new TestSgConfig.User("limited_user_index_1_dept_A").description("dept_a in index_1").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("r1").clusterPermissions(new String[]{"SGS_CLUSTER_COMPOSITE_OPS_RO", "SGS_CLUSTER_MONITOR"}).indexPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("prefix.dept.value", "dept_a")).on(new String[]{"index_1"})}).indexMatcher("read", IndexApiMatchers.limitedTo(new TestIndexLike[]{index_1.filteredBy(docNode -> {
        return docNode.getAsString("dept").startsWith("dept_a");
    })}));
    static TestSgConfig.User LIMITED_USER_INDEX_1_DEPT_D = new TestSgConfig.User("limited_user_index_1_dept_D").description("dept_d in index_1").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("r1").clusterPermissions(new String[]{"SGS_CLUSTER_COMPOSITE_OPS_RO", "SGS_CLUSTER_MONITOR"}).indexPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("prefix.dept.value", "dept_d")).on(new String[]{"index_1"})}).indexMatcher("read", IndexApiMatchers.limitedTo(new TestIndexLike[]{index_1.filteredBy(docNode -> {
        return docNode.getAsString("dept").startsWith("dept_d");
    })}));
    static TestSgConfig.User LIMITED_USER_INDEX_1_HIDDEN_DEPT_A = new TestSgConfig.User("limited_user_index_1_hidden_dept_A").description("dept_a in index_1 and index_hidden").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("r1").clusterPermissions(new String[]{"SGS_CLUSTER_COMPOSITE_OPS_RO", "SGS_CLUSTER_MONITOR"}).indexPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("prefix.dept.value", "dept_a")).on(new String[]{"index_1", "index_hidden"})}).indexMatcher("read", IndexApiMatchers.limitedTo(new TestIndexLike[]{index_1.filteredBy(docNode -> {
        return docNode.getAsString("dept").startsWith("dept_a");
    }), index_hidden.filteredBy(docNode2 -> {
        return docNode2.getAsString("dept").startsWith("dept_a");
    })}));
    static TestSgConfig.User LIMITED_USER_INDEX_1_DEPT_A_INDEX_2_DEPT_D = new TestSgConfig.User("limited_user_index_1_dept_A_index_2_dept_D").description("dept_a in index_1; dept_d in index_2").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("r1").clusterPermissions(new String[]{"SGS_CLUSTER_COMPOSITE_OPS_RO", "SGS_CLUSTER_MONITOR"}).indexPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("prefix.dept.value", "dept_a")).on(new String[]{"index_1"}).indexPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("prefix.dept.value", "dept_d")).on(new String[]{"index_2"})}).indexMatcher("read", IndexApiMatchers.limitedTo(new TestIndexLike[]{index_1.filteredBy(docNode -> {
        return docNode.getAsString("dept").startsWith("dept_a");
    }), index_2.filteredBy(docNode2 -> {
        return docNode2.getAsString("dept").startsWith("dept_d");
    })}));
    static TestSgConfig.User LIMITED_USER_ALIAS_1_DEPT_A = new TestSgConfig.User("limited_user_alias_1_dept_A").description("dept_a in alias_1").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("r1").clusterPermissions(new String[]{"SGS_CLUSTER_COMPOSITE_OPS_RO", "SGS_CLUSTER_MONITOR"}).aliasPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("prefix.dept.value", "dept_a")).on(new String[]{"alias_1"})}).indexMatcher("read", IndexApiMatchers.limitedTo(new TestIndexLike[]{alias_1.filteredBy(docNode -> {
        return docNode.getAsString("dept").startsWith("dept_a");
    }), index_1.filteredBy(docNode2 -> {
        return docNode2.getAsString("dept").startsWith("dept_a");
    })}));
    static TestSgConfig.User LIMITED_USER_ALIAS_12_DEPT_D = new TestSgConfig.User("limited_user_alias_12_dept_D").description("dept_d in alias_12").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("r1").clusterPermissions(new String[]{"SGS_CLUSTER_COMPOSITE_OPS_RO", "SGS_CLUSTER_MONITOR"}).aliasPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("prefix.dept.value", "dept_d")).on(new String[]{"alias_12"})}).indexMatcher("read", IndexApiMatchers.limitedTo(new TestIndexLike[]{index_1.filteredBy(docNode -> {
        return docNode.getAsString("dept").startsWith("dept_d");
    }), index_2.filteredBy(docNode2 -> {
        return docNode2.getAsString("dept").startsWith("dept_d");
    })}));
    static TestSgConfig.User LIMITED_USER_ALIAS_12_DEPT_D_INDEX_1_DEPT_A = new TestSgConfig.User("limited_user_alias_12_dept_D_index_1_dept_a").description("dept_d in alias_12; additionally dept_a in index_1").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("r1").clusterPermissions(new String[]{"SGS_CLUSTER_COMPOSITE_OPS_RO", "SGS_CLUSTER_MONITOR"}).aliasPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("prefix.dept.value", "dept_d")).on(new String[]{"alias_12"}), new TestSgConfig.Role("r2").indexPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("prefix.dept.value", "dept_a")).on(new String[]{"index_1"})}).indexMatcher("read", IndexApiMatchers.limitedTo(new TestIndexLike[]{index_1.filteredBy(docNode -> {
        return docNode.getAsString("dept").startsWith("dept_d") || docNode.getAsString("dept").startsWith("dept_a");
    }), index_2.filteredBy(docNode2 -> {
        return docNode2.getAsString("dept").startsWith("dept_d");
    })}));
    static TestSgConfig.User LIMITED_USER_INDEX_1_DEPT_D_TERMS_LOOKUP = new TestSgConfig.User("limited_user_index_1_dept_D_terms_lookup").description("dept_d in index_1 with terms lookup").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("r1").clusterPermissions(new String[]{"SGS_CLUSTER_COMPOSITE_OPS_RO", "SGS_CLUSTER_MONITOR"}).indexPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("terms", DocNode.of("dept", DocNode.of("index", "user_dept_terms_lookup", "id", "${user.name}", "path", "dept")))).on(new String[]{"index_1"})}).indexMatcher("read", IndexApiMatchers.limitedTo(new TestIndexLike[]{index_1.filteredBy(docNode -> {
        return docNode.getAsString("dept").startsWith("dept_d");
    })}));
    static TestSgConfig.User UNLIMITED_USER = new TestSgConfig.User("unlimited_user").description("unlimited").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("r1").clusterPermissions(new String[]{"SGS_CLUSTER_COMPOSITE_OPS_RO", "SGS_CLUSTER_MONITOR"}).indexPermissions(new String[]{"*"}).on(new String[]{"*"}).aliasPermissions(new String[]{"*"}).on(new String[]{"*"})}).indexMatcher("read", IndexApiMatchers.unlimited()).indexMatcher("read_top_level", IndexApiMatchers.unlimited()).indexMatcher("get_alias", IndexApiMatchers.unlimited());
    static TestSgConfig.User SUPER_UNLIMITED_USER = new TestSgConfig.User("super_unlimited_user").description("super unlimited (admin cert)").adminCertUser().indexMatcher("read", IndexApiMatchers.unlimitedIncludingSearchGuardIndices()).indexMatcher("read_top_level", IndexApiMatchers.unlimitedIncludingSearchGuardIndices()).indexMatcher("get_alias", IndexApiMatchers.unlimitedIncludingSearchGuardIndices());
    static List<TestSgConfig.User> USERS = ImmutableList.of(LIMITED_USER_INDEX_1_DEPT_A, LIMITED_USER_INDEX_1_DEPT_D, LIMITED_USER_INDEX_1_HIDDEN_DEPT_A, new TestSgConfig.User[]{LIMITED_USER_INDEX_1_DEPT_A_INDEX_2_DEPT_D, LIMITED_USER_ALIAS_1_DEPT_A, LIMITED_USER_ALIAS_12_DEPT_D, LIMITED_USER_ALIAS_12_DEPT_D_INDEX_1_DEPT_A, LIMITED_USER_INDEX_1_DEPT_D_TERMS_LOOKUP, UNLIMITED_USER, SUPER_UNLIMITED_USER});
    static final TestSgConfig.DlsFls DLSFLS = new TestSgConfig.DlsFls().metrics("detailed");

    @ClassRule
    public static LocalCluster cluster = new LocalCluster.Builder().sslEnabled().enterpriseModulesEnabled().users(USERS).indices(new TestIndex[]{index_1, index_2, index_3, index_hidden, user_dept_terms_lookup}).aliases(new TestAlias[]{alias_1, alias_12}).authzDebug(true).logRequests().dlsFls(DLSFLS).build();
    final TestSgConfig.User user;

    @Test
    public void search_noPattern() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            MatcherAssert.assertThat(restClient.get("/_search?size=1000", new Header[0]), IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1, index_2, index_3}).at("hits.hits[*]").but(this.user.indexMatcher("read")).whenEmpty(200));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void search_all() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            MatcherAssert.assertThat(restClient.get("/_all/_search?size=1000", new Header[0]), IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1, index_2, index_3}).at("hits.hits[*]").but(this.user.indexMatcher("read")).whenEmpty(200));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void search_all_includeHidden() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            MatcherAssert.assertThat(restClient.get("/_all/_search?size=1000&expand_wildcards=all", new Header[0]), IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1, index_2, index_3, index_hidden, user_dept_terms_lookup, IndexApiMatchers.searchGuardIndices()}).at("hits.hits[*]").but(this.user.indexMatcher("read")).whenEmpty(200));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void search_wildcard() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            MatcherAssert.assertThat(restClient.get("/*/_search?size=1000", new Header[0]), IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1, index_2, index_3}).at("hits.hits[*]").but(this.user.indexMatcher("read")).whenEmpty(200));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void search_wildcard_includeHidden() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            MatcherAssert.assertThat(restClient.get("/*/_search?size=1000&expand_wildcards=all", new Header[0]), IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1, index_2, index_3, index_hidden, user_dept_terms_lookup, IndexApiMatchers.searchGuardIndices()}).at("hits.hits[*]").but(this.user.indexMatcher("read")).whenEmpty(200));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void search_staticIndicies_hidden() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            MatcherAssert.assertThat(restClient.get("index_hidden/_search?size=1000", new Header[0]), IndexApiMatchers.containsExactly(new TestIndexLike[]{index_hidden}).at("hits.hits[*]").butForbiddenIfIncomplete(this.user.indexMatcher("read")));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void search_indexPattern() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            MatcherAssert.assertThat(restClient.get("index_*/_search?size=1000", new Header[0]), IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1, index_2, index_3}).at("hits.hits[*]").but(this.user.indexMatcher("read")).whenEmpty(200));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void search_alias_ignoreUnavailable() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("alias_12/_search?size=1000&ignore_unavailable=true", new Header[0]);
            if (IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1, index_1}).at("hits.hits[*]").but(this.user.indexMatcher("read")).isEmpty() || this.user == LIMITED_USER_ALIAS_1_DEPT_A) {
                MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            } else {
                MatcherAssert.assertThat(httpResponse, IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1, index_2}).at("hits.hits[*]").but(this.user.indexMatcher("read")).whenEmpty(200));
            }
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void search_alias_pattern() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            MatcherAssert.assertThat(restClient.get("alias_*/_search?size=1000", new Header[0]), IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1, index_2}).at("hits.hits[*]").but(this.user.indexMatcher("read")).whenEmpty(200));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void search_scroll_all() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_all/_search?scroll=1m&size=15", new Header[0]);
            MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            ArrayList arrayList = new ArrayList((Collection) httpResponse.getBodyAsDocNode().getAsNode("hits").getAsListOfNodes("hits"));
            String asString = httpResponse.getBodyAsDocNode().getAsString("_scroll_id");
            while (true) {
                GenericRestClient.HttpResponse postJson = restClient.postJson("/_search/scroll", DocNode.of("scroll", "1m", "scroll_id", asString), new Header[0]);
                MatcherAssert.assertThat(postJson, RestMatchers.isOk());
                ImmutableList asListOfNodes = postJson.getBodyAsDocNode().getAsNode("hits").getAsListOfNodes("hits");
                if (asListOfNodes.size() == 0) {
                    break;
                } else {
                    arrayList.addAll(asListOfNodes);
                }
            }
            MatcherAssert.assertThat(arrayList, IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1, index_2, index_3}).but(this.user.indexMatcher("read")));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void search_aggregation_terms_all() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            MatcherAssert.assertThat(restClient.postJson("/_all/_search", DocNode.of("query.match_all", DocNode.EMPTY, "aggs.test_agg.terms.field", "dept.keyword"), new Header[0]), IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1, index_2, index_3}).aggregateTerm("dept").at("aggregations.test_agg.buckets").but(this.user.indexMatcher("read")).whenEmpty(200));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void search_aggregation_terms_static_index() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            MatcherAssert.assertThat(restClient.postJson("/index_1/_search", DocNode.of("query.match_all", DocNode.EMPTY, "aggs.test_agg.terms.field", "dept.keyword"), new Header[0]), IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1}).aggregateTerm("dept").at("aggregations.test_agg.buckets").but(this.user.indexMatcher("read")).whenEmpty(200));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void search_aggregation_terms_static_alias() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            GenericRestClient.HttpResponse postJson = restClient.postJson("/alias_12/_search?ignore_unavailable=true", DocNode.of("query.match_all", DocNode.EMPTY, "aggs.test_agg.terms.field", "dept.keyword"), new Header[0]);
            if (IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1, index_1}).at("hits.hits[*]").but(this.user.indexMatcher("read")).isEmpty() || this.user == LIMITED_USER_ALIAS_1_DEPT_A) {
                MatcherAssert.assertThat(postJson, RestMatchers.isOk());
            } else {
                MatcherAssert.assertThat(postJson, IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1, index_2}).aggregateTerm("dept").at("aggregations.test_agg.buckets").but(this.user.indexMatcher("read")).whenEmpty(200));
            }
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void msearch_staticIndices() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            MatcherAssert.assertThat(restClient.postJson("/_msearch", "{\"index\":\"index_1\"}\n{\"size\":200, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}\n{\"index\":\"index_2\"}\n{\"size\":200, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}\n", new Header[0]), IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1, index_2}).at("responses[*].hits.hits[*]").but(this.user.indexMatcher("read")).whenEmpty(200));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void get() throws Exception {
        TestData.TestDocument anyDocumentForDepartment = index_1.getTestData().anyDocumentForDepartment("dept_a_1");
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/index_1/_doc/" + anyDocumentForDepartment.getId(), new Header[0]);
            if (!IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1}).isCoveredBy(this.user.indexMatcher("read"))) {
                MatcherAssert.assertThat(httpResponse, RestMatchers.isForbidden());
            } else if (IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1}).but(this.user.indexMatcher("read")).containsDocument(anyDocumentForDepartment.getId())) {
                MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            } else {
                MatcherAssert.assertThat(httpResponse, RestMatchers.isNotFound());
            }
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void get2() throws Exception {
        TestData.TestDocument anyDocumentForDepartment = index_1.getTestData().anyDocumentForDepartment("dept_d");
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/index_1/_doc/" + anyDocumentForDepartment.getId(), new Header[0]);
            if (!IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1}).isCoveredBy(this.user.indexMatcher("read"))) {
                MatcherAssert.assertThat(httpResponse, RestMatchers.isForbidden());
            } else if (IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1}).but(this.user.indexMatcher("read")).containsDocument(anyDocumentForDepartment.getId())) {
                MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            } else {
                MatcherAssert.assertThat(httpResponse, RestMatchers.isNotFound());
            }
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void get_alias() throws Exception {
        TestData.TestDocument anyDocumentForDepartment = index_1.getTestData().anyDocumentForDepartment("dept_a_1");
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/alias_1/_doc/" + anyDocumentForDepartment.getId(), new Header[0]);
            if (!IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1}).isCoveredBy(this.user.indexMatcher("read")) || this.user == LIMITED_USER_ALIAS_12_DEPT_D) {
                MatcherAssert.assertThat(httpResponse, RestMatchers.isForbidden());
            } else if (IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1}).but(this.user.indexMatcher("read")).containsDocument(anyDocumentForDepartment.getId())) {
                MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            } else {
                MatcherAssert.assertThat(httpResponse, RestMatchers.isNotFound());
            }
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void get_alias2() throws Exception {
        TestData.TestDocument anyDocumentForDepartment = index_1.getTestData().anyDocumentForDepartment("dept_d");
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/alias_1/_doc/" + anyDocumentForDepartment.getId(), new Header[0]);
            if (!IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1}).isCoveredBy(this.user.indexMatcher("read")) || this.user == LIMITED_USER_ALIAS_12_DEPT_D) {
                MatcherAssert.assertThat(httpResponse, RestMatchers.isForbidden());
            } else if (IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1}).but(this.user.indexMatcher("read")).containsDocument(anyDocumentForDepartment.getId())) {
                MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            } else {
                MatcherAssert.assertThat(httpResponse, RestMatchers.isNotFound());
            }
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void mget() throws Exception {
        TestData.TestDocument anyDocumentForDepartment = index_1.getTestData().anyDocumentForDepartment("dept_a_1");
        TestData.TestDocument anyDocumentForDepartment2 = index_1.getTestData().anyDocumentForDepartment("dept_b_1");
        TestData.TestDocument anyDocumentForDepartment3 = index_2.getTestData().anyDocumentForDepartment("dept_a_1");
        TestData.TestDocument anyDocumentForDepartment4 = index_2.getTestData().anyDocumentForDepartment("dept_b_1");
        DocNode of = DocNode.of("docs", DocNode.array(new Object[]{DocNode.of("_index", "index_1", "_id", anyDocumentForDepartment.getId()), DocNode.of("_index", "index_1", "_id", anyDocumentForDepartment2.getId()), DocNode.of("_index", "index_2", "_id", anyDocumentForDepartment3.getId()), DocNode.of("_index", "index_2", "_id", anyDocumentForDepartment4.getId())}));
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_mget", of, new Header[0]);
            if (this.user == LIMITED_USER_INDEX_1_DEPT_D_TERMS_LOOKUP) {
                MatcherAssert.assertThat(postJson, RestMatchers.isForbidden());
                Assert.assertEquals(postJson.getBody(), "Insufficient permissions", postJson.getBodyAsDocNode().get("error", new String[]{"reason"}));
            } else {
                MatcherAssert.assertThat(postJson, RestMatchers.isOk());
                DocNode bodyAsDocNode = postJson.getBodyAsDocNode();
                checkMgetDocument(postJson, bodyAsDocNode, index_1, anyDocumentForDepartment);
                checkMgetDocument(postJson, bodyAsDocNode, index_1, anyDocumentForDepartment2);
                checkMgetDocument(postJson, bodyAsDocNode, index_2, anyDocumentForDepartment3);
                checkMgetDocument(postJson, bodyAsDocNode, index_2, anyDocumentForDepartment4);
            }
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void mget_alias() throws Exception {
        TestData.TestDocument anyDocumentForDepartment = index_1.getTestData().anyDocumentForDepartment("dept_a_1");
        TestData.TestDocument anyDocumentForDepartment2 = index_1.getTestData().anyDocumentForDepartment("dept_b_1");
        DocNode of = DocNode.of("docs", DocNode.array(new Object[]{DocNode.of("_index", "alias_1", "_id", anyDocumentForDepartment.getId()), DocNode.of("_index", "alias_1", "_id", anyDocumentForDepartment2.getId())}));
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_mget", of, new Header[0]);
            MatcherAssert.assertThat(postJson, RestMatchers.isOk());
            DocNode bodyAsDocNode = postJson.getBodyAsDocNode();
            if (this.user == LIMITED_USER_INDEX_1_DEPT_D_TERMS_LOOKUP) {
                MatcherAssert.assertThat(postJson.getBodyAsDocNode(), DocNodeMatchers.docNodeSizeEqualTo("docs", 0));
            } else {
                checkMgetDocument(postJson, bodyAsDocNode, index_1, anyDocumentForDepartment);
                checkMgetDocument(postJson, bodyAsDocNode, index_1, anyDocumentForDepartment2);
            }
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void checkMgetDocument(GenericRestClient.HttpResponse httpResponse, DocNode docNode, TestIndexLike testIndexLike, TestData.TestDocument testDocument) throws Exception {
        DocNode docNode2 = (DocNode) docNode.findSingleNodeByJsonPath("docs[?(@._id == \"" + testDocument.getId() + "\")]").toListOfNodes().get(0);
        Assert.assertNotNull(httpResponse.getBody(), docNode2);
        if (!IndexApiMatchers.containsExactly(new TestIndexLike[]{testIndexLike}).isCoveredBy(this.user.indexMatcher("read"))) {
            Assert.assertEquals(httpResponse.getBody(), "Insufficient permissions", docNode2.get("error", new String[]{"reason"}));
            return;
        }
        Boolean bool = docNode2.getBoolean("found");
        if (bool == null) {
            Assert.fail("No found attribute " + docNode2.toString());
        }
        if (IndexApiMatchers.containsExactly(new TestIndexLike[]{testIndexLike}).but(this.user.indexMatcher("read")).containsDocument(testDocument.getId())) {
            Assert.assertTrue(httpResponse.getBody(), bool.booleanValue());
        } else {
            Assert.assertFalse(httpResponse.getBody(), bool.booleanValue());
        }
    }

    @Test
    public void termvectors() throws Exception {
        TestData.TestDocument anyDocumentForDepartment = index_1.getTestData().anyDocumentForDepartment("dept_a_1");
        GenericRestClient restClient = cluster.getRestClient(this.user, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/index_1/_termvectors/" + anyDocumentForDepartment.getId(), new Header[0]);
            if (this.user == LIMITED_USER_INDEX_1_DEPT_D_TERMS_LOOKUP) {
                MatcherAssert.assertThat(httpResponse, RestMatchers.isInternalServerError());
                Assert.assertTrue(httpResponse.getBody(), httpResponse.getBodyAsDocNode().getAsNode("error").getAsString("reason").startsWith("Unsupported request type for filter level DLS"));
            } else if (IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1}).isCoveredBy(this.user.indexMatcher("read"))) {
                MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
                if (IndexApiMatchers.containsExactly(new TestIndexLike[]{index_1}).but(this.user.indexMatcher("read")).containsDocument(anyDocumentForDepartment.getId())) {
                    Assert.assertEquals(httpResponse.getBody(), true, httpResponse.getBodyAsDocNode().get("found"));
                } else {
                    Assert.assertEquals(httpResponse.getBody(), false, httpResponse.getBodyAsDocNode().get("found"));
                }
            } else {
                MatcherAssert.assertThat(httpResponse, RestMatchers.isForbidden());
            }
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Parameterized.Parameters(name = "{1}")
    public static Collection<Object[]> params() {
        ArrayList arrayList = new ArrayList();
        for (TestSgConfig.User user : USERS) {
            arrayList.add(new Object[]{user, user.getDescription()});
        }
        return arrayList;
    }

    public DlsReadOnlyIntTests(TestSgConfig.User user, String str) throws Exception {
        this.user = user;
    }
}
