package com.floragunn.searchguard.enterprise.femt;

import com.floragunn.searchguard.SearchGuardModulesRegistry;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.PrivilegesEvaluationException;
import com.floragunn.searchguard.authz.PrivilegesEvaluationResult;
import com.floragunn.searchguard.authz.SyncAuthorizationFilter;
import com.floragunn.searchguard.authz.TenantManager;
import com.floragunn.searchguard.authz.actions.Action;
import com.floragunn.searchguard.authz.actions.ActionRequestIntrospector;
import com.floragunn.searchguard.authz.actions.Actions;
import com.floragunn.searchguard.enterprise.femt.datamigration880.service.steps.MigrationEnvironmentHelper;
import com.floragunn.searchguard.enterprise.femt.request.handler.RequestHandler;
import com.floragunn.searchguard.enterprise.femt.request.handler.RequestHandlerFactory;
import com.floragunn.searchguard.user.User;
import java.util.Optional;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.admin.indices.delete.DeleteIndexRequest;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.indices.IndicesService;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.ArgumentMatchers;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.junit.MockitoJUnitRunner;

@RunWith(MockitoJUnitRunner.class)
/* loaded from: input_file:com/floragunn/searchguard/enterprise/femt/MultiTenancyAuthorizationFilterTest.class */
public class MultiTenancyAuthorizationFilterTest {
    private static final Logger log = LogManager.getLogger(MultiTenancyAuthorizationFilterTest.class);
    public static final String PRIVATE_TENANT_HEADER_VALUE = "__user__";
    public static final String INTERNAL_TEST_USER_1_PRIVATE_TENANT_NAME = "-66146748_testusername1";
    public static final String HR_TENANT_NAME = "hr_tenant_name";
    public static final String IT_TENANT_NAME = "it_tenant_name";
    public static final String FRONTEND_MAIN_INDEX = ".kibana_8.9.0_001";
    public static final String TEST_USER_NAME_1 = "test_user_name_1";
    public static final String TEST_USER_NAME_2 = "test_user_name_2";
    public static final String INTERNAL_HR_TENANT_NAME = "1140937035_hrtenantname";
    public static final String INTERNAL_IT_TENANT_NAME = "48572396_ittenantname";

    @Mock
    private FeMultiTenancyConfig config;

    @Mock
    private RoleBasedTenantAuthorization tenantAuthorization;

    @Mock
    private TenantManager tenantManager;

    @Mock
    private ThreadContext threadContext;

    @Mock
    private RequestHandlerFactory handlerFactory;

    @Mock
    private ClusterService clusterServices;

    @Mock
    private IndicesService indicesService;

    @Mock
    private ActionListener<?> listener;

    @Mock
    private PrivilegesEvaluationContext context;

    @Mock
    private ActionRequestIntrospector.ActionRequestInfo actionRequestInfo;

    @Mock
    private User user;

    @Mock
    private ActionRequestIntrospector.ResolvedIndices resolvedIndices;

    @Mock
    private Action action;

    @Mock
    private RequestHandler<ActionRequest> actionHandler;
    private MultiTenancyAuthorizationFilter filter;

    @Before
    public void before() {
        Mockito.when(this.config.getIndex()).thenReturn(MigrationEnvironmentHelper.MULTITENANCY_INDEX_PREFIX);
        Mockito.when(Boolean.valueOf(this.config.isEnabled())).thenReturn(true);
        Mockito.when(this.context.getUser()).thenReturn(this.user);
        Mockito.when(this.config.getServerUsername()).thenReturn("frontend_server_user");
        Mockito.when(Boolean.valueOf(this.config.isPrivateTenantEnabled())).thenReturn(false);
        this.filter = new MultiTenancyAuthorizationFilter(this.config, this.tenantAuthorization, this.tenantManager, new Actions((SearchGuardModulesRegistry) null), this.threadContext, (Client) null, this.handlerFactory, this.clusterServices, this.indicesService);
    }

    @Test
    public void shouldAccessPrivateTenant_privateTenantEnabled() {
        Mockito.when(Boolean.valueOf(this.config.isPrivateTenantEnabled())).thenReturn(true);
        MultiTenancyAuthorizationFilter multiTenancyAuthorizationFilter = new MultiTenancyAuthorizationFilter(this.config, this.tenantAuthorization, this.tenantManager, new Actions((SearchGuardModulesRegistry) null), this.threadContext, (Client) null, this.handlerFactory, this.clusterServices, this.indicesService);
        Mockito.when(this.context.getRequestInfo()).thenReturn(this.actionRequestInfo);
        Mockito.when(this.actionRequestInfo.getResolvedIndices()).thenReturn(this.resolvedIndices);
        Mockito.when(Boolean.valueOf(this.resolvedIndices.isLocalAll())).thenReturn(false);
        GetRequest getRequest = new GetRequest(FRONTEND_MAIN_INDEX, "space:default");
        Mockito.when(this.context.getRequest()).thenReturn(getRequest);
        Mockito.when(this.context.getAction()).thenReturn(this.action);
        Mockito.when(this.action.name()).thenReturn("indices:data/read/search");
        Mockito.when(this.user.getName()).thenReturn(TEST_USER_NAME_1);
        Mockito.when(this.user.getRequestedTenant()).thenReturn(PRIVATE_TENANT_HEADER_VALUE);
        Mockito.when(Boolean.valueOf(this.tenantManager.isTenantHeaderValid(PRIVATE_TENANT_HEADER_VALUE))).thenReturn(true);
        Mockito.when(Boolean.valueOf(this.tenantManager.isUserTenantHeader(ArgumentMatchers.anyString()))).thenCallRealMethod();
        Mockito.when(this.tenantManager.toInternalTenantName(this.context.getUser())).thenCallRealMethod();
        Mockito.when(this.handlerFactory.requestHandlerFor(getRequest)).thenReturn(Optional.of(this.actionHandler));
        Mockito.when(this.actionHandler.handle((PrivilegesEvaluationContext) ArgumentMatchers.same(this.context), (String) ArgumentMatchers.eq(INTERNAL_TEST_USER_1_PRIVATE_TENANT_NAME), (ActionRequest) ArgumentMatchers.same(getRequest), (ActionListener) ArgumentMatchers.same(this.listener))).thenReturn(SyncAuthorizationFilter.Result.OK);
        SyncAuthorizationFilter.Result apply = multiTenancyAuthorizationFilter.apply(this.context, this.listener);
        log.info("Filter response {}", apply);
        MatcherAssert.assertThat(apply.getStatus(), Matchers.equalTo(SyncAuthorizationFilter.Result.Status.OK));
        ((RequestHandler) Mockito.verify(this.actionHandler)).handle((PrivilegesEvaluationContext) ArgumentMatchers.same(this.context), (String) ArgumentMatchers.eq(INTERNAL_TEST_USER_1_PRIVATE_TENANT_NAME), (ActionRequest) ArgumentMatchers.same(getRequest), (ActionListener) ArgumentMatchers.same(this.listener));
        Mockito.verifyNoInteractions(new Object[]{this.listener});
    }

    @Test
    public void shouldNotAccessPrivateTenant() {
        Mockito.when(this.context.getRequestInfo()).thenReturn(this.actionRequestInfo);
        Mockito.when(this.actionRequestInfo.getResolvedIndices()).thenReturn(this.resolvedIndices);
        Mockito.when(Boolean.valueOf(this.resolvedIndices.isLocalAll())).thenReturn(false);
        Mockito.when(this.context.getRequest()).thenReturn(new GetRequest(FRONTEND_MAIN_INDEX, "space:default"));
        Mockito.when(this.context.getAction()).thenReturn(this.action);
        Mockito.when(this.action.name()).thenReturn("indices:data/read/search");
        Mockito.when(this.user.getName()).thenReturn(TEST_USER_NAME_1);
        Mockito.when(this.user.getRequestedTenant()).thenReturn(PRIVATE_TENANT_HEADER_VALUE);
        Mockito.when(Boolean.valueOf(this.tenantManager.isTenantHeaderValid(PRIVATE_TENANT_HEADER_VALUE))).thenReturn(true);
        Mockito.when(Boolean.valueOf(this.tenantManager.isUserTenantHeader(ArgumentMatchers.anyString()))).thenCallRealMethod();
        SyncAuthorizationFilter.Result apply = this.filter.apply(this.context, this.listener);
        log.info("Filter response {}", apply);
        MatcherAssert.assertThat(apply.getStatus(), Matchers.equalTo(SyncAuthorizationFilter.Result.Status.DENIED));
        Mockito.verifyNoInteractions(new Object[]{this.listener});
        Mockito.verifyNoInteractions(new Object[]{this.handlerFactory});
        Mockito.verifyNoInteractions(new Object[]{this.tenantAuthorization});
    }

    @Test
    public void shouldBePermittedToPerformWriteOperationOnHrTenant() throws PrivilegesEvaluationException {
        Mockito.when(this.context.getRequestInfo()).thenReturn(this.actionRequestInfo);
        Mockito.when(this.actionRequestInfo.getResolvedIndices()).thenReturn(this.resolvedIndices);
        Mockito.when(Boolean.valueOf(this.resolvedIndices.isLocalAll())).thenReturn(false);
        IndexRequest index = new IndexRequest().index(FRONTEND_MAIN_INDEX);
        Mockito.when(this.context.getRequest()).thenReturn(index);
        Mockito.when(this.context.getAction()).thenReturn(this.action);
        Mockito.when(this.action.name()).thenReturn("indices:data/write/index");
        Mockito.when(this.user.getName()).thenReturn(TEST_USER_NAME_2);
        Mockito.when(this.user.getRequestedTenant()).thenReturn(HR_TENANT_NAME);
        Mockito.when(Boolean.valueOf(this.tenantManager.isTenantHeaderValid(HR_TENANT_NAME))).thenReturn(true);
        Mockito.when(Boolean.valueOf(this.tenantManager.isUserTenantHeader(ArgumentMatchers.anyString()))).thenCallRealMethod();
        Mockito.when(this.tenantManager.toInternalTenantName(this.context.getUser())).thenCallRealMethod();
        Mockito.when(this.handlerFactory.requestHandlerFor(index)).thenReturn(Optional.of(this.actionHandler));
        Mockito.when(this.actionHandler.handle((PrivilegesEvaluationContext) ArgumentMatchers.same(this.context), (String) ArgumentMatchers.eq(INTERNAL_HR_TENANT_NAME), (ActionRequest) ArgumentMatchers.same(index), (ActionListener) ArgumentMatchers.same(this.listener))).thenReturn(SyncAuthorizationFilter.Result.OK);
        Actions actions = new Actions((SearchGuardModulesRegistry) null);
        Action kibanaReadAction = KibanaActionsProvider.getKibanaReadAction(actions);
        Action kibanaWriteAction = KibanaActionsProvider.getKibanaWriteAction(actions);
        Mockito.when(this.tenantAuthorization.hasTenantPermission(this.context, kibanaReadAction, HR_TENANT_NAME)).thenReturn(PrivilegesEvaluationResult.OK);
        Mockito.when(this.tenantAuthorization.hasTenantPermission(this.context, kibanaWriteAction, HR_TENANT_NAME)).thenReturn(PrivilegesEvaluationResult.OK);
        SyncAuthorizationFilter.Result apply = this.filter.apply(this.context, this.listener);
        log.info("Filter response {}", apply);
        MatcherAssert.assertThat(apply.getStatus(), Matchers.equalTo(SyncAuthorizationFilter.Result.Status.OK));
        ((RequestHandler) Mockito.verify(this.actionHandler)).handle((PrivilegesEvaluationContext) ArgumentMatchers.same(this.context), (String) ArgumentMatchers.eq(INTERNAL_HR_TENANT_NAME), (ActionRequest) ArgumentMatchers.same(index), (ActionListener) ArgumentMatchers.same(this.listener));
        Mockito.verifyNoInteractions(new Object[]{this.listener});
        ((RoleBasedTenantAuthorization) Mockito.verify(this.tenantAuthorization)).hasTenantPermission(this.context, kibanaReadAction, HR_TENANT_NAME);
        ((RoleBasedTenantAuthorization) Mockito.verify(this.tenantAuthorization)).hasTenantPermission(this.context, kibanaWriteAction, HR_TENANT_NAME);
    }

    @Test
    public void shouldNotBePermittedToPerformWriteOperationOnHrTenant() throws PrivilegesEvaluationException {
        Mockito.when(this.context.getRequestInfo()).thenReturn(this.actionRequestInfo);
        Mockito.when(this.actionRequestInfo.getResolvedIndices()).thenReturn(this.resolvedIndices);
        Mockito.when(Boolean.valueOf(this.resolvedIndices.isLocalAll())).thenReturn(false);
        Mockito.when(this.context.getRequest()).thenReturn(new IndexRequest().index(FRONTEND_MAIN_INDEX));
        Mockito.when(this.context.getAction()).thenReturn(this.action);
        Mockito.when(this.action.name()).thenReturn("indices:data/write/index");
        Mockito.when(this.user.getName()).thenReturn(TEST_USER_NAME_2);
        Mockito.when(this.user.getRequestedTenant()).thenReturn(HR_TENANT_NAME);
        Mockito.when(Boolean.valueOf(this.tenantManager.isTenantHeaderValid(HR_TENANT_NAME))).thenReturn(true);
        Mockito.when(Boolean.valueOf(this.tenantManager.isUserTenantHeader(ArgumentMatchers.anyString()))).thenCallRealMethod();
        Actions actions = new Actions((SearchGuardModulesRegistry) null);
        Action kibanaReadAction = KibanaActionsProvider.getKibanaReadAction(actions);
        Action kibanaWriteAction = KibanaActionsProvider.getKibanaWriteAction(actions);
        Mockito.when(this.tenantAuthorization.hasTenantPermission(this.context, kibanaReadAction, HR_TENANT_NAME)).thenReturn(PrivilegesEvaluationResult.OK);
        Mockito.when(this.tenantAuthorization.hasTenantPermission(this.context, kibanaWriteAction, HR_TENANT_NAME)).thenReturn(PrivilegesEvaluationResult.INSUFFICIENT);
        SyncAuthorizationFilter.Result apply = this.filter.apply(this.context, this.listener);
        log.info("Filter response {}", apply);
        MatcherAssert.assertThat(apply.getStatus(), Matchers.equalTo(SyncAuthorizationFilter.Result.Status.DENIED));
        Mockito.verifyNoInteractions(new Object[]{this.listener});
        Mockito.verifyNoInteractions(new Object[]{this.handlerFactory});
        ((RoleBasedTenantAuthorization) Mockito.verify(this.tenantAuthorization)).hasTenantPermission(this.context, kibanaReadAction, HR_TENANT_NAME);
        ((RoleBasedTenantAuthorization) Mockito.verify(this.tenantAuthorization)).hasTenantPermission(this.context, kibanaWriteAction, HR_TENANT_NAME);
    }

    @Test
    public void shouldBePermittedToPerformReadOnlyOperationOnItTenant() throws PrivilegesEvaluationException {
        Mockito.when(this.context.getRequestInfo()).thenReturn(this.actionRequestInfo);
        Mockito.when(this.actionRequestInfo.getResolvedIndices()).thenReturn(this.resolvedIndices);
        Mockito.when(Boolean.valueOf(this.resolvedIndices.isLocalAll())).thenReturn(false);
        GetRequest getRequest = new GetRequest(FRONTEND_MAIN_INDEX, "document_id");
        Mockito.when(this.context.getRequest()).thenReturn(getRequest);
        Mockito.when(this.context.getAction()).thenReturn(this.action);
        Mockito.when(this.action.name()).thenReturn("indices:data/read/get");
        Mockito.when(this.user.getName()).thenReturn(TEST_USER_NAME_2);
        Mockito.when(this.user.getRequestedTenant()).thenReturn(IT_TENANT_NAME);
        Mockito.when(Boolean.valueOf(this.tenantManager.isTenantHeaderValid(IT_TENANT_NAME))).thenReturn(true);
        Mockito.when(Boolean.valueOf(this.tenantManager.isUserTenantHeader(ArgumentMatchers.anyString()))).thenCallRealMethod();
        Mockito.when(this.tenantManager.toInternalTenantName(this.context.getUser())).thenCallRealMethod();
        Mockito.when(this.handlerFactory.requestHandlerFor(getRequest)).thenReturn(Optional.of(this.actionHandler));
        Mockito.when(this.actionHandler.handle((PrivilegesEvaluationContext) ArgumentMatchers.same(this.context), (String) ArgumentMatchers.eq(INTERNAL_IT_TENANT_NAME), (ActionRequest) ArgumentMatchers.same(getRequest), (ActionListener) ArgumentMatchers.same(this.listener))).thenReturn(SyncAuthorizationFilter.Result.OK);
        Actions actions = new Actions((SearchGuardModulesRegistry) null);
        Action kibanaReadAction = KibanaActionsProvider.getKibanaReadAction(actions);
        Action kibanaWriteAction = KibanaActionsProvider.getKibanaWriteAction(actions);
        Mockito.when(this.tenantAuthorization.hasTenantPermission(this.context, kibanaReadAction, IT_TENANT_NAME)).thenReturn(PrivilegesEvaluationResult.OK);
        Mockito.when(this.tenantAuthorization.hasTenantPermission(this.context, kibanaWriteAction, IT_TENANT_NAME)).thenReturn(PrivilegesEvaluationResult.INSUFFICIENT);
        SyncAuthorizationFilter.Result apply = this.filter.apply(this.context, this.listener);
        log.info("Filter response {}", apply);
        MatcherAssert.assertThat(apply.getStatus(), Matchers.equalTo(SyncAuthorizationFilter.Result.Status.OK));
        ((RequestHandler) Mockito.verify(this.actionHandler)).handle((PrivilegesEvaluationContext) ArgumentMatchers.same(this.context), (String) ArgumentMatchers.eq(INTERNAL_IT_TENANT_NAME), (ActionRequest) ArgumentMatchers.same(getRequest), (ActionListener) ArgumentMatchers.same(this.listener));
        Mockito.verifyNoInteractions(new Object[]{this.listener});
        ((RoleBasedTenantAuthorization) Mockito.verify(this.tenantAuthorization)).hasTenantPermission(this.context, kibanaReadAction, IT_TENANT_NAME);
        ((RoleBasedTenantAuthorization) Mockito.verify(this.tenantAuthorization)).hasTenantPermission(this.context, kibanaWriteAction, IT_TENANT_NAME);
    }

    @Test
    public void shouldNotBePermittedToPerformDeleteIndexOperationOnItTenantForReadOnlyUser() throws PrivilegesEvaluationException {
        Mockito.when(this.context.getRequestInfo()).thenReturn(this.actionRequestInfo);
        Mockito.when(this.actionRequestInfo.getResolvedIndices()).thenReturn(this.resolvedIndices);
        Mockito.when(Boolean.valueOf(this.resolvedIndices.isLocalAll())).thenReturn(false);
        Mockito.when(this.context.getRequest()).thenReturn(new DeleteIndexRequest(FRONTEND_MAIN_INDEX));
        Mockito.when(this.context.getAction()).thenReturn(this.action);
        Mockito.when(this.action.name()).thenReturn("indices:admin/delete");
        Mockito.when(this.user.getName()).thenReturn(TEST_USER_NAME_2);
        Mockito.when(this.user.getRequestedTenant()).thenReturn(IT_TENANT_NAME);
        Mockito.when(Boolean.valueOf(this.tenantManager.isTenantHeaderValid(IT_TENANT_NAME))).thenReturn(true);
        Mockito.when(Boolean.valueOf(this.tenantManager.isUserTenantHeader(ArgumentMatchers.anyString()))).thenCallRealMethod();
        Actions actions = new Actions((SearchGuardModulesRegistry) null);
        Action kibanaReadAction = KibanaActionsProvider.getKibanaReadAction(actions);
        Action kibanaWriteAction = KibanaActionsProvider.getKibanaWriteAction(actions);
        Mockito.when(this.tenantAuthorization.hasTenantPermission(this.context, kibanaReadAction, IT_TENANT_NAME)).thenReturn(PrivilegesEvaluationResult.OK);
        Mockito.when(this.tenantAuthorization.hasTenantPermission(this.context, kibanaWriteAction, IT_TENANT_NAME)).thenReturn(PrivilegesEvaluationResult.INSUFFICIENT);
        SyncAuthorizationFilter.Result apply = this.filter.apply(this.context, this.listener);
        log.info("Filter response {}", apply);
        MatcherAssert.assertThat(apply.getStatus(), Matchers.equalTo(SyncAuthorizationFilter.Result.Status.DENIED));
        Mockito.verifyNoInteractions(new Object[]{this.listener});
        Mockito.verifyNoInteractions(new Object[]{this.handlerFactory});
        ((RoleBasedTenantAuthorization) Mockito.verify(this.tenantAuthorization)).hasTenantPermission(this.context, kibanaReadAction, IT_TENANT_NAME);
        ((RoleBasedTenantAuthorization) Mockito.verify(this.tenantAuthorization)).hasTenantPermission(this.context, kibanaWriteAction, IT_TENANT_NAME);
    }
}
