package com.floragunn.searchguard.enterprise.dlsfls;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.cluster.ConfigurationUpdater;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.floragunn.searchsupport.junit.matcher.DocNodeMatchers;
import org.apache.http.Header;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Before;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/InvalidRolesAndMappingConfigurationTest.class */
public class InvalidRolesAndMappingConfigurationTest {
    public static final String LIMITED_ROLE_NAME = "limited-role";
    private static final String ERROR_TYPE = "status_exception";
    private ConfigurationUpdater configurationUpdater;
    private static final Logger log = LogManager.getLogger(InvalidRolesAndMappingConfigurationTest.class);
    private static final TestSgConfig.Authc AUTHC = new TestSgConfig.Authc(new TestSgConfig.Authc.Domain[]{new TestSgConfig.Authc.Domain("basic/internal_users_db")});
    private static final TestSgConfig.DlsFls DLSFLS = new TestSgConfig.DlsFls().metrics("detailed");
    private static final TestSgConfig.User USER_ADMIN = new TestSgConfig.User("admin").roles(new String[]{TestSgConfig.Role.ALL_ACCESS.getName()});
    private static final TestSgConfig.User USER_LIMITED = new TestSgConfig.User("limited-user").roles(new String[]{"limited-role"});
    private static final TestSgConfig.Role ROLE_VALID = new TestSgConfig.Role("valid-role").clusterPermissions(new String[]{"*"}).indexPermissions(new String[]{"*"}).fls(new String[]{"~secret"}).on(new String[]{"index*"});
    private static final TestSgConfig.Role ROLE_USED_WITH_INCORRECT_MAPPING = new TestSgConfig.Role("invalid-mapping-role").clusterPermissions(new String[]{"*"});

    @ClassRule
    public static LocalCluster.Embedded CLUSTER = new LocalCluster.Builder().singleNode().authc(AUTHC).dlsFls(DLSFLS).roles(new TestSgConfig.Role[]{TestSgConfig.Role.ALL_ACCESS}).user(USER_ADMIN).user(USER_LIMITED).sslEnabled().enterpriseModulesEnabled().embedded().build();

    @Before
    public void beforeEach() {
        this.configurationUpdater = new ConfigurationUpdater(CLUSTER, USER_ADMIN);
    }

    @Test
    public void shouldPerformSearchWhenConfigurationIsValid() throws Exception {
        MatcherAssert.assertThat(Integer.valueOf(((GenericRestClient.HttpResponse) this.configurationUpdater.callWithRole(ROLE_VALID, genericRestClient -> {
            assertThatUserCanAuthenticate(genericRestClient);
            return searchAll(genericRestClient);
        })).getStatusCode()), Matchers.equalTo(200));
    }

    @Test
    public void shouldReportConfigurationErrorWhenRoleContainsInvalidIndexPattern() throws Exception {
        assertThatSearchIsRejectedDueToIncorrectConfiguration((GenericRestClient.HttpResponse) this.configurationUpdater.callWithRole(new TestSgConfig.Role("invalid-role-index").clusterPermissions(new String[]{"*"}).indexPermissions(new String[]{"*"}).fls(new String[]{"~secret"}).on(new String[]{"/index-(.+/"}), genericRestClient -> {
            assertThatUserCanAuthenticate(genericRestClient);
            return searchAll(genericRestClient);
        }));
    }

    @Test
    public void shouldReportConfigurationErrorWhenRoleContainsInvalidPermissionPattern() throws Exception {
        assertThatSearchIsRejectedDueToIncorrectConfiguration((GenericRestClient.HttpResponse) this.configurationUpdater.callWithRole(new TestSgConfig.Role("invalid-role-permission").clusterPermissions(new String[]{"*"}).indexPermissions(new String[]{"/permission-(.+/"}).fls(new String[]{"~secret"}).on(new String[]{"index"}), genericRestClient -> {
            assertThatUserCanAuthenticate(genericRestClient);
            return searchAll(genericRestClient);
        }));
    }

    @Test
    public void shouldReportConfigurationErrorWhenRoleContainsDefinedDlsAndInvalidIndexPattern() throws Exception {
        assertThatSearchIsRejectedDueToIncorrectConfiguration((GenericRestClient.HttpResponse) this.configurationUpdater.callWithRole(new TestSgConfig.Role("invalid-role-dls-index-pattern").clusterPermissions(new String[]{"*"}).indexPermissions(new String[]{"*"}).dls("{\"match\":{\"country_code\":\"ad\"}}").fls(new String[]{"~secret"}).on(new String[]{"/index(.+/"}), genericRestClient -> {
            assertThatUserCanAuthenticate(genericRestClient);
            return searchAll(genericRestClient);
        }));
    }

    @Test
    public void shouldReportConfigurationErrorWhenRoleContainsIncorrectJsonInDlsQuery() throws Exception {
        assertThatSearchIsRejectedDueToIncorrectConfiguration((GenericRestClient.HttpResponse) this.configurationUpdater.callWithRole(new TestSgConfig.Role("invalid-role-dls-incorrect-json").clusterPermissions(new String[]{"*"}).indexPermissions(new String[]{"*"}).dls("{\"match\":{\"country_code\":ad}").fls(new String[]{"~secret"}).on(new String[]{"index"}), genericRestClient -> {
            assertThatUserCanAuthenticate(genericRestClient);
            return searchAll(genericRestClient);
        }));
    }

    @Test
    public void shouldReportConfigurationErrorWhenRoleContainsIncorrectDlsQuery() throws Exception {
        assertThatSearchIsRejectedDueToIncorrectConfiguration((GenericRestClient.HttpResponse) this.configurationUpdater.callWithRole(new TestSgConfig.Role("invalid-role-incorrect-dls-query").clusterPermissions(new String[]{"*"}).indexPermissions(new String[]{"indices:data/read/search*", "indices:monitor/*"}).dls("{\"term\":{}}").fls(new String[]{"~secret"}).on(new String[]{"index"}), genericRestClient -> {
            assertThatUserCanAuthenticate(genericRestClient);
            return searchAll(genericRestClient);
        }));
    }

    @Test
    public void shouldReportConfigurationErrorWhenRoleContainsIncorrectFlsPattern() throws Exception {
        assertThatSearchIsRejectedDueToIncorrectConfiguration((GenericRestClient.HttpResponse) this.configurationUpdater.callWithRole(new TestSgConfig.Role("invalid-role-fls-pattern").clusterPermissions(new String[]{"*"}).indexPermissions(new String[]{"indices:data/read/search*", "indices:monitor/*"}).dls("{\"match\":{\"country_code\":\"ad\"}}").fls(new String[]{"/public-(.+/"}).on(new String[]{"index"}), genericRestClient -> {
            assertThatUserCanAuthenticate(genericRestClient);
            return searchAll(genericRestClient);
        }));
    }

    @Test
    public void shouldPerformSearchWhenConfigurationWithRolesAndMappingsIsValid() throws Exception {
        MatcherAssert.assertThat(Integer.valueOf(((GenericRestClient.HttpResponse) this.configurationUpdater.callWithMapping(new TestSgConfig.RoleMapping(ROLE_VALID.getName()).backendRoles(new String[]{"accountant"}).ips(new String[]{"192.178.1.5"}).hosts(new String[]{"*.search-guard.com"}), genericRestClient -> {
            assertThatUserCanAuthenticate(genericRestClient);
            return searchAll(genericRestClient);
        })).getStatusCode()), Matchers.equalTo(200));
    }

    @Test
    public void shouldReportConfigurationErrorWhenMappingContainInvalidPatternInBackendRoleName() throws Exception {
        assertThatSearchIsRejectedDueToIncorrectConfiguration((GenericRestClient.HttpResponse) this.configurationUpdater.callWithMapping(new TestSgConfig.RoleMapping(ROLE_USED_WITH_INCORRECT_MAPPING.getName()).backendRoles(new String[]{"/accountant(.+/"}), genericRestClient -> {
            assertThatUserCanAuthenticate(genericRestClient);
            return searchAll(genericRestClient);
        }));
    }

    @Test
    public void shouldReportConfigurationErrorWhenMappingContainInvalidPatternInUsername() throws Exception {
        assertThatSearchIsRejectedDueToIncorrectConfiguration((GenericRestClient.HttpResponse) this.configurationUpdater.callWithMapping(new TestSgConfig.RoleMapping(ROLE_USED_WITH_INCORRECT_MAPPING.getName()).users(new String[]{"/admin-(.+/"}), genericRestClient -> {
            assertThatUserCanAuthenticate(genericRestClient);
            return searchAll(genericRestClient);
        }));
    }

    @Test
    public void shouldReportConfigurationErrorWhenMappingContainInvalidIpAddress() throws Exception {
        assertThatSearchIsRejectedDueToIncorrectConfiguration((GenericRestClient.HttpResponse) this.configurationUpdater.callWithMapping(new TestSgConfig.RoleMapping(ROLE_USED_WITH_INCORRECT_MAPPING.getName()).ips(new String[]{"this is not an IP address!"}), genericRestClient -> {
            assertThatUserCanAuthenticate(genericRestClient);
            return searchAll(genericRestClient);
        }));
    }

    @Test
    public void shouldReportConfigurationErrorWhenMappingContainInvalidHostPattern() throws Exception {
        assertThatSearchIsRejectedDueToIncorrectConfiguration((GenericRestClient.HttpResponse) this.configurationUpdater.callWithMapping(new TestSgConfig.RoleMapping(ROLE_USED_WITH_INCORRECT_MAPPING.getName()).hosts(new String[]{"/(.+search-guard.com/"}), genericRestClient -> {
            assertThatUserCanAuthenticate(genericRestClient);
            return searchAll(genericRestClient);
        }));
    }

    @Test
    public void shouldReportMultipleErrorsWhenConfigurationIsInvalid() throws Exception {
        TestSgConfig.RoleMapping hosts = new TestSgConfig.RoleMapping(ROLE_USED_WITH_INCORRECT_MAPPING.getName()).hosts(new String[]{"/(.+search-guard.com/"});
        TestSgConfig.Role on = new TestSgConfig.Role("invalid-role-permission").clusterPermissions(new String[]{"*"}).indexPermissions(new String[]{"/permission-(.+/"}).fls(new String[]{"~secret"}).on(new String[]{"index"});
        assertThatSearchIsRejectedDueToIncorrectConfiguration((GenericRestClient.HttpResponse) this.configurationUpdater.callWithMapping(hosts, genericRestClient -> {
            return (GenericRestClient.HttpResponse) this.configurationUpdater.callWithRole(on, genericRestClient -> {
                assertThatUserCanAuthenticate(genericRestClient);
                return searchAll(genericRestClient);
            });
        }));
    }

    @Test
    public void shouldRestoreAccessWhenConfigurationIsCorrected() throws Exception {
        MatcherAssert.assertThat(Integer.valueOf(((GenericRestClient.HttpResponse) this.configurationUpdater.callWithRole(new TestSgConfig.Role("invalid-role-index").clusterPermissions(new String[]{"*"}).indexPermissions(new String[]{"*"}).fls(new String[]{"~secret"}).on(new String[]{"/index-(.+/"}), InvalidRolesAndMappingConfigurationTest::searchAll)).getStatusCode()), Matchers.equalTo(500));
        GenericRestClient restClient = CLUSTER.getRestClient(USER_ADMIN, new Header[0]);
        try {
            MatcherAssert.assertThat(Integer.valueOf(searchAll(restClient).getStatusCode()), Matchers.equalTo(200));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static void assertThatSearchIsRejectedDueToIncorrectConfiguration(GenericRestClient.HttpResponse httpResponse) throws Exception {
        log.info("Search response body '{}'", httpResponse.getBody());
        MatcherAssert.assertThat(Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(500));
        DocNode bodyAsDocNode = httpResponse.getBodyAsDocNode();
        MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.error.type", ERROR_TYPE));
        MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containSubstring("$.error.reason", "Incorrect configuration of SearchGuard roles or roles mapping, please check the log file for more details."));
    }

    private static void assertThatUserCanAuthenticate(GenericRestClient genericRestClient) throws Exception {
        MatcherAssert.assertThat(Integer.valueOf(genericRestClient.get("/_searchguard/authinfo", new Header[0]).getStatusCode()), Matchers.equalTo(200));
        GenericRestClient.HttpResponse httpResponse = genericRestClient.get("/_searchguard/health", new Header[0]);
        MatcherAssert.assertThat(Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(200));
        log.info("Health response body '{}'", httpResponse.getBody());
    }

    private static GenericRestClient.HttpResponse searchAll(GenericRestClient genericRestClient) throws Exception {
        return genericRestClient.get("/*/_search", new Header[0]);
    }
}
