package com.floragunn.searchguard.enterprise.femt.tenants;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.fluent.collections.UnmodifiableIterator;
import com.floragunn.searchguard.authz.TenantManager;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.floragunn.searchsupport.junit.matcher.DocNodeMatchers;
import org.apache.http.Header;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexResponse;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.index.IndexResponse;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.index.reindex.BulkByScrollResponse;
import org.elasticsearch.index.reindex.DeleteByQueryAction;
import org.elasticsearch.index.reindex.DeleteByQueryRequest;
import org.elasticsearch.rest.RestStatus;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/femt/tenants/GetAvailableTenantsActionTest.class */
public class GetAvailableTenantsActionTest {
    private static final String FRONTEND_INDEX = ".kibana";
    private static final Logger log = LogManager.getLogger(GetAvailableTenantsActionTest.class);
    private static final TestSgConfig.Tenant HR_TENANT = new TestSgConfig.Tenant("hr_tenant");
    private static final TestSgConfig.Tenant FINANCE_TENANT = new TestSgConfig.Tenant("finance_tenant");
    private static final TestSgConfig.Tenant SALES_TENANT = new TestSgConfig.Tenant("sales_tenant");
    private static final TestSgConfig.Tenant OPERATIONS_TENANT = new TestSgConfig.Tenant("operations_tenant");
    private static final TestSgConfig.Tenant RD_TENANT = new TestSgConfig.Tenant("r&d_tenant");
    private static final TestSgConfig.Tenant BD_TENANT = new TestSgConfig.Tenant("business_development_tenant");
    private static final TestSgConfig.Tenant LEGAL_TENANT = new TestSgConfig.Tenant("legal_tenant");
    private static final TestSgConfig.Tenant IT_TENANT = new TestSgConfig.Tenant("information_technology_tenant");
    private static final TestSgConfig.Tenant PR_TENANT = new TestSgConfig.Tenant("public_relations_tenant");
    private static final TestSgConfig.Tenant QA_TENANT = new TestSgConfig.Tenant("quality_assurance_tenant");
    private static final ImmutableList<TestSgConfig.Tenant> ALL_DEFINED_TENANTS = ImmutableList.of(HR_TENANT, FINANCE_TENANT, SALES_TENANT, new TestSgConfig.Tenant[]{OPERATIONS_TENANT, RD_TENANT, BD_TENANT, LEGAL_TENANT, IT_TENANT, PR_TENANT, QA_TENANT});
    private static final TestSgConfig.User USER_SINGLE_TENANT = new TestSgConfig.User("user_single_tenant").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("single_tenant_access").tenantPermission(new String[]{"*"}).on(new String[]{HR_TENANT.getName()}).indexPermissions(new String[]{"*"}).on(new String[]{".kibana*"})});
    private static final TestSgConfig.User FRONTEND_SERVER_USER = new TestSgConfig.User("kibana_server");
    private static final TestSgConfig.User USER_EACH_TENANT_READ = new TestSgConfig.User("user_each_tenant_read").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("each_tenant_read_access").tenantPermission(new String[]{"SGS_KIBANA_ALL_READ"}).on((String[]) ALL_DEFINED_TENANTS.map((v0) -> {
        return v0.getName();
    }).with("SGS_GLOBAL_TENANT").toArray(i -> {
        return new String[i];
    })).indexPermissions(new String[]{"*"}).on(new String[]{".kibana*"})});
    private static final TestSgConfig.User USER_EACH_TENANT_WRITE = new TestSgConfig.User("user_each_tenant_write").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("each_tenant_write_access").tenantPermission(new String[]{"SGS_KIBANA_ALL_WRITE"}).on((String[]) ALL_DEFINED_TENANTS.map((v0) -> {
        return v0.getName();
    }).with("SGS_GLOBAL_TENANT").toArray(i -> {
        return new String[i];
    })).indexPermissions(new String[]{"*"}).on(new String[]{".kibana*"})});
    private static final TestSgConfig.User USER_SOME_TENANT_ACCESS = new TestSgConfig.User("user_some_tenant_access").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("some_tenant_access").tenantPermission(new String[]{"SGS_KIBANA_ALL_WRITE"}).on(new String[]{HR_TENANT.getName(), FINANCE_TENANT.getName(), SALES_TENANT.getName()}).tenantPermission(new String[]{"SGS_KIBANA_ALL_READ"}).on(new String[]{IT_TENANT.getName(), PR_TENANT.getName(), QA_TENANT.getName()}).indexPermissions(new String[]{"*"}).on(new String[]{".kibana*"})});

    @ClassRule
    public static LocalCluster cluster = new LocalCluster.Builder().sslEnabled().nodeSettings(new Object[]{"action.destructive_requires_name", false, "searchguard.unsupported.single_index_mt_enabled", true}).enterpriseModulesEnabled().roleMapping(new TestSgConfig.RoleMapping[]{new TestSgConfig.RoleMapping("SGS_KIBANA_MT_USER").users(new String[]{USER_SINGLE_TENANT.getName(), USER_EACH_TENANT_READ.getName(), USER_EACH_TENANT_WRITE.getName(), USER_SOME_TENANT_ACCESS.getName()}), new TestSgConfig.RoleMapping("SGS_KIBANA_SERVER").users(new String[]{FRONTEND_SERVER_USER.getName()})}).users(new TestSgConfig.User[]{FRONTEND_SERVER_USER, USER_SINGLE_TENANT, USER_EACH_TENANT_READ, USER_EACH_TENANT_WRITE, USER_SOME_TENANT_ACCESS}).frontendMultiTenancy(new TestSgConfig.FrontendMultiTenancy(true).index(".kibana").serverUser(FRONTEND_SERVER_USER.getName())).tenants(new TestSgConfig.Tenant[]{HR_TENANT, FINANCE_TENANT, SALES_TENANT, OPERATIONS_TENANT, RD_TENANT, BD_TENANT, LEGAL_TENANT, IT_TENANT, PR_TENANT, QA_TENANT}).build();

    @BeforeClass
    public static void createIndex() {
        Client internalNodeClient = cluster.getInternalNodeClient();
        try {
            MatcherAssert.assertThat(Boolean.valueOf(((CreateIndexResponse) internalNodeClient.admin().indices().create(new CreateIndexRequest(".kibana").settings(Settings.builder().put("index.hidden", true)).mapping(DocNode.of("_doc", DocNode.of("properties", DocNode.of("sg_tenant", DocNode.of("type", "keyword")))))).actionGet()).isAcknowledged()), Matchers.equalTo(true));
            if (internalNodeClient != null) {
                internalNodeClient.close();
            }
        } catch (Throwable th) {
            if (internalNodeClient != null) {
                try {
                    internalNodeClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @After
    public void clearIndices() {
        Client internalNodeClient = cluster.getInternalNodeClient();
        try {
            DeleteByQueryRequest deleteByQueryRequest = new DeleteByQueryRequest(new String[]{".kibana"});
            deleteByQueryRequest.setQuery(QueryBuilders.matchAllQuery());
            deleteByQueryRequest.setRefresh(true);
            deleteByQueryRequest.setBatchSize(100);
            deleteByQueryRequest.setScroll(TimeValue.timeValueMinutes(1L));
            BulkByScrollResponse bulkByScrollResponse = (BulkByScrollResponse) internalNodeClient.execute(DeleteByQueryAction.INSTANCE, deleteByQueryRequest).actionGet();
            MatcherAssert.assertThat(bulkByScrollResponse.getSearchFailures(), Matchers.empty());
            MatcherAssert.assertThat(bulkByScrollResponse.getBulkFailures(), Matchers.empty());
            if (internalNodeClient != null) {
                internalNodeClient.close();
            }
        } catch (Throwable th) {
            if (internalNodeClient != null) {
                try {
                    internalNodeClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldFindAccessibleTenantsForSingleTenantUser() throws Exception {
        createTenants(".kibana", (String[]) ALL_DEFINED_TENANTS.map((v0) -> {
            return v0.getName();
        }).toArray(i -> {
            return new String[i];
        }));
        GenericRestClient restClient = cluster.getRestClient(USER_SINGLE_TENANT, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/current_user/tenants", new Header[0]);
            log.debug("Response status '{}' and body '{}'.", Integer.valueOf(httpResponse.getStatusCode()), httpResponse.getBody());
            MatcherAssert.assertThat(Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(200));
            DocNode bodyAsDocNode = httpResponse.getBodyAsDocNode();
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.multi_tenancy_enabled", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.hr_tenant.read_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.hr_tenant.write_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.hr_tenant.exists", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.user_single_tenant.read_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.user_single_tenant.write_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.user_single_tenant.exists", false));
            MatcherAssert.assertThat(bodyAsDocNode, Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("$.data.tenants", "SGS_GLOBAL_TENANT")));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.docNodeSizeEqualTo("$.data.tenants", 2));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldFindAccessibleTenantsForUserAllowedToReadEachTenantData() throws Exception {
        createTenants(".kibana", (String[]) ALL_DEFINED_TENANTS.map((v0) -> {
            return v0.getName();
        }).with(USER_EACH_TENANT_READ.getName()).toArray(i -> {
            return new String[i];
        }));
        GenericRestClient restClient = cluster.getRestClient(USER_EACH_TENANT_READ, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/current_user/tenants", new Header[0]);
            log.debug("Response status '{}' and body '{}'.", Integer.valueOf(httpResponse.getStatusCode()), httpResponse.getBody());
            MatcherAssert.assertThat(Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(200));
            DocNode bodyAsDocNode = httpResponse.getBodyAsDocNode();
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.docNodeSizeEqualTo("$.data.tenants", 12));
            UnmodifiableIterator it = ALL_DEFINED_TENANTS.map((v0) -> {
                return v0.getName();
            }).iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                String str2 = "$.data.tenants." + str + ".read_access";
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue(str2, true));
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str + ".write_access", false));
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str + ".exists", true));
            }
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.user_each_tenant_read.write_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.user_each_tenant_read.exists", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.SGS_GLOBAL_TENANT.read_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.SGS_GLOBAL_TENANT.write_access", false));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.SGS_GLOBAL_TENANT.exists", false));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldFindAccessibleTenantsForUserAllowedToWriteEachTenantData() throws Exception {
        String[] strArr = (String[]) ALL_DEFINED_TENANTS.map((v0) -> {
            return v0.getName();
        }).with(USER_EACH_TENANT_WRITE.getName()).toArray(i -> {
            return new String[i];
        });
        createTenants(".kibana", strArr);
        GenericRestClient restClient = cluster.getRestClient(USER_EACH_TENANT_WRITE, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/current_user/tenants", new Header[0]);
            log.debug("Response status '{}' and body '{}'.", Integer.valueOf(httpResponse.getStatusCode()), httpResponse.getBody());
            MatcherAssert.assertThat(Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(200));
            DocNode bodyAsDocNode = httpResponse.getBodyAsDocNode();
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.docNodeSizeEqualTo("$.data.tenants", 12));
            for (String str : strArr) {
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str + ".read_access", true));
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str + ".write_access", true));
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str + ".exists", true));
            }
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldFindAccessibleTenantsWhichDoesNotExist() throws Exception {
        String[] strArr = (String[]) ALL_DEFINED_TENANTS.map((v0) -> {
            return v0.getName();
        }).with(USER_EACH_TENANT_WRITE.getName()).toArray(i -> {
            return new String[i];
        });
        GenericRestClient restClient = cluster.getRestClient(USER_EACH_TENANT_WRITE, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/current_user/tenants", new Header[0]);
            log.debug("Response status '{}' and body '{}'.", Integer.valueOf(httpResponse.getStatusCode()), httpResponse.getBody());
            MatcherAssert.assertThat(Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(200));
            DocNode bodyAsDocNode = httpResponse.getBodyAsDocNode();
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.docNodeSizeEqualTo("$.data.tenants", 12));
            for (String str : strArr) {
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str + ".read_access", true));
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str + ".write_access", true));
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str + ".exists", false));
            }
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldReturnInformationIfTenantIsAccessibleAndExist() throws Exception {
        createTenants(".kibana", HR_TENANT.getName(), FINANCE_TENANT.getName(), PR_TENANT.getName(), QA_TENANT.getName());
        GenericRestClient restClient = cluster.getRestClient(USER_SOME_TENANT_ACCESS, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/current_user/tenants", new Header[0]);
            log.debug("Response status '{}' and body '{}'.", Integer.valueOf(httpResponse.getStatusCode()), httpResponse.getBody());
            MatcherAssert.assertThat(Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(200));
            DocNode bodyAsDocNode = httpResponse.getBodyAsDocNode();
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.docNodeSizeEqualTo("$.data.tenants", 7));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.information_technology_tenant.write_access", false));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.information_technology_tenant.exists", false));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.public_relations_tenant.write_access", false));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.public_relations_tenant.exists", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.quality_assurance_tenant.write_access", false));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.quality_assurance_tenant.exists", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.hr_tenant.write_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.hr_tenant.exists", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.finance_tenant.write_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.finance_tenant.exists", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.sales_tenant.write_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.sales_tenant.exists", false));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.user_some_tenant_access.write_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.user_some_tenant_access.exists", false));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldNotBeAccessibleForFrontendServerUser() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(FRONTEND_SERVER_USER, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/current_user/tenants", new Header[0]);
            log.debug("Response status '{}' and body '{}'.", Integer.valueOf(httpResponse.getStatusCode()), httpResponse.getBody());
            MatcherAssert.assertThat(Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(403));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void createTenants(String str, String... strArr) {
        Client internalNodeClient = cluster.getInternalNodeClient();
        try {
            for (String str2 : strArr) {
                MatcherAssert.assertThat(((IndexResponse) internalNodeClient.index(new IndexRequest(str).source(ImmutableMap.of("sg_tenant", TenantManager.toInternalTenantName(str2))).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE)).actionGet()).status(), Matchers.equalTo(RestStatus.CREATED));
            }
            if (internalNodeClient != null) {
                internalNodeClient.close();
            }
        } catch (Throwable th) {
            if (internalNodeClient != null) {
                try {
                    internalNodeClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
