package com.floragunn.searchguard.enterprise.femt.tenants;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.fluent.collections.UnmodifiableIterator;
import com.floragunn.searchguard.authz.TenantManager;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.enterprise.femt.FeMultiTenancyConfig;
import com.floragunn.searchguard.enterprise.femt.FeMultiTenancyConfigurationProvider;
import com.floragunn.searchguard.support.PrivilegedConfigClient;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.RestMatchers;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.floragunn.searchsupport.junit.matcher.DocNodeMatchers;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import org.apache.http.Header;
import org.apache.http.message.BasicHeader;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexResponse;
import org.elasticsearch.action.admin.indices.delete.DeleteIndexRequest;
import org.elasticsearch.action.admin.indices.mapping.get.GetMappingsRequest;
import org.elasticsearch.action.admin.indices.mapping.get.GetMappingsResponse;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.action.support.master.AcknowledgedResponse;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.client.internal.node.NodeClient;
import org.elasticsearch.cluster.metadata.MappingMetadata;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.rest.RestStatus;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.Before;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/femt/tenants/TenantsTest.class */
public class TenantsTest {
    private static final String FRONTEND_INDEX = ".kibana";
    private MultitenancyActivationService multitenancyActivationService;
    private static final Logger log = LogManager.getLogger(TenantsTest.class);
    private static final TestSgConfig.Tenant HR_TENANT = new TestSgConfig.Tenant("hr_tenant");
    private static final TestSgConfig.Tenant FINANCE_TENANT = new TestSgConfig.Tenant("finance_tenant");
    private static final TestSgConfig.Tenant SALES_TENANT = new TestSgConfig.Tenant("sales_tenant");
    private static final TestSgConfig.Tenant OPERATIONS_TENANT = new TestSgConfig.Tenant("operations_tenant");
    private static final TestSgConfig.Tenant RD_TENANT = new TestSgConfig.Tenant("r&d_tenant");
    private static final TestSgConfig.Tenant BD_TENANT = new TestSgConfig.Tenant("business_development_tenant");
    private static final TestSgConfig.Tenant LEGAL_TENANT = new TestSgConfig.Tenant("legal_tenant");
    private static final TestSgConfig.Tenant IT_TENANT = new TestSgConfig.Tenant("information_technology_tenant");
    private static final TestSgConfig.Tenant PR_TENANT = new TestSgConfig.Tenant("public_relations_tenant");
    private static final TestSgConfig.Tenant QA_TENANT = new TestSgConfig.Tenant("quality_assurance_tenant");
    private static final ImmutableList<TestSgConfig.Tenant> ALL_DEFINED_TENANTS = ImmutableList.of(HR_TENANT, FINANCE_TENANT, SALES_TENANT, new TestSgConfig.Tenant[]{OPERATIONS_TENANT, RD_TENANT, BD_TENANT, LEGAL_TENANT, IT_TENANT, PR_TENANT, QA_TENANT});
    private static final TestSgConfig.User USER_SINGLE_TENANT = new TestSgConfig.User("user_single_tenant").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("single_tenant_access").withTenantPermission(new String[]{"*"}).on(new String[]{HR_TENANT.getName()}).indexPermissions(new String[]{"*"}).on(new String[]{".kibana*"})});
    private static final TestSgConfig.User FRONTEND_SERVER_USER = new TestSgConfig.User("kibana_server");
    private static final TestSgConfig.User USER_EACH_TENANT_READ = new TestSgConfig.User("user_each_tenant_read").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("each_tenant_read_access").withTenantPermission(new String[]{"SGS_KIBANA_ALL_READ"}).on((String[]) ALL_DEFINED_TENANTS.map((v0) -> {
        return v0.getName();
    }).with("SGS_GLOBAL_TENANT").toArray(i -> {
        return new String[i];
    })).indexPermissions(new String[]{"*"}).on(new String[]{".kibana*"})});
    private static final TestSgConfig.User USER_EACH_TENANT_WRITE = new TestSgConfig.User("user_each_tenant_write").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("each_tenant_write_access").withTenantPermission(new String[]{"SGS_KIBANA_ALL_WRITE"}).on((String[]) ALL_DEFINED_TENANTS.map((v0) -> {
        return v0.getName();
    }).with("SGS_GLOBAL_TENANT").toArray(i -> {
        return new String[i];
    })).indexPermissions(new String[]{"*"}).on(new String[]{".kibana*"})});
    private static final TestSgConfig.User USER_SOME_TENANT_ACCESS = new TestSgConfig.User("user_some_tenant_access").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("some_tenant_access").withTenantPermission(new String[]{"SGS_KIBANA_ALL_WRITE"}).on(new String[]{HR_TENANT.getName(), FINANCE_TENANT.getName(), SALES_TENANT.getName()}).withTenantPermission(new String[]{"SGS_KIBANA_ALL_READ"}).on(new String[]{IT_TENANT.getName(), PR_TENANT.getName(), QA_TENANT.getName()}).indexPermissions(new String[]{"*"}).on(new String[]{".kibana*"})});
    private static final TestSgConfig.User USER_WITH_ACCESS_ONLY_TO_GLOBAL_TENANT = new TestSgConfig.User("user_with_access_only_to_global_tenant").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("global_tenant_access").clusterPermissions(new String[]{"cluster:admin:searchguard:femt:user/available_tenants/get"}).withTenantPermission(new String[]{"*"}).on(new String[]{"SGS_GLOBAL_TENANT"})});

    @ClassRule
    public static LocalCluster.Embedded cluster = new LocalCluster.Builder().sslEnabled().nodeSettings(new Object[]{"action.destructive_requires_name", false, "searchguard.unsupported.single_index_mt_enabled", true}).enterpriseModulesEnabled().roleMapping(new TestSgConfig.RoleMapping[]{new TestSgConfig.RoleMapping("SGS_KIBANA_USER").users(new String[]{USER_SINGLE_TENANT.getName(), USER_EACH_TENANT_READ.getName(), USER_EACH_TENANT_WRITE.getName(), USER_SOME_TENANT_ACCESS.getName()}), new TestSgConfig.RoleMapping("SGS_KIBANA_SERVER").users(new String[]{FRONTEND_SERVER_USER.getName()})}).users(new TestSgConfig.User[]{FRONTEND_SERVER_USER, USER_SINGLE_TENANT, USER_EACH_TENANT_READ, USER_EACH_TENANT_WRITE, USER_SOME_TENANT_ACCESS, USER_WITH_ACCESS_ONLY_TO_GLOBAL_TENANT}).frontendMultiTenancy(new TestSgConfig.FrontendMultiTenancy(true).index(".kibana").serverUser(FRONTEND_SERVER_USER.getName())).tenants(new TestSgConfig.Tenant[]{HR_TENANT, FINANCE_TENANT, SALES_TENANT, OPERATIONS_TENANT, RD_TENANT, BD_TENANT, LEGAL_TENANT, IT_TENANT, PR_TENANT, QA_TENANT}).embedded().build();

    @Before
    public void setUpIndex() {
        Client internalNodeClient = cluster.getInternalNodeClient();
        MatcherAssert.assertThat(Boolean.valueOf(((CreateIndexResponse) internalNodeClient.admin().indices().create(new CreateIndexRequest(".kibana").settings(Settings.builder().put("index.hidden", true)).mapping(DocNode.of("_doc", DocNode.of("properties", DocNode.of("sg_tenant", DocNode.of("type", "keyword")))))).actionGet()).isAcknowledged()), Matchers.equalTo(true));
    }

    @Before
    public void setUpTestedDependencies() {
        this.multitenancyActivationService = new MultitenancyActivationService(new TenantRepository(PrivilegedConfigClient.adapt((Client) cluster.getInjectable(NodeClient.class))), (ConfigurationRepository) cluster.getInjectable(ConfigurationRepository.class), (FeMultiTenancyConfigurationProvider) cluster.getInjectable(FeMultiTenancyConfigurationProvider.class));
    }

    @After
    public void clearIndices() {
        removeKibanaRelatedIndices();
    }

    @Test
    public void getAvailableTenantsAction_shouldFindAccessibleTenantsForSingleTenantUser() throws Exception {
        createTenants(".kibana", (String[]) ALL_DEFINED_TENANTS.map((v0) -> {
            return v0.getName();
        }).toArray(i -> {
            return new String[i];
        }));
        BasicHeader basicHeader = new BasicHeader("sg_tenant", "test_tenant");
        GenericRestClient restClient = cluster.getRestClient(USER_SINGLE_TENANT, new Header[]{basicHeader});
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/current_user/tenants", new Header[0]);
            log.debug("Response status '{}' and body '{}'.", Integer.valueOf(httpResponse.getStatusCode()), httpResponse.getBody());
            MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            DocNode bodyAsDocNode = httpResponse.getBodyAsDocNode();
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.default_tenant", "SGS_GLOBAL_TENANT"));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.username", USER_SINGLE_TENANT.getName()));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.user_requested_tenant", basicHeader.getValue()));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.multi_tenancy_enabled", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.hr_tenant.read_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.hr_tenant.write_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.hr_tenant.exists", true));
            MatcherAssert.assertThat(bodyAsDocNode, Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("$.data.tenants.user_single_tenant", "read_access")));
            MatcherAssert.assertThat(bodyAsDocNode, Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("$.data.tenants.user_single_tenant", "write_access")));
            MatcherAssert.assertThat(bodyAsDocNode, Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("$.data.tenants.user_single_tenant", "exists")));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.SGS_GLOBAL_TENANT.read_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.SGS_GLOBAL_TENANT.write_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.SGS_GLOBAL_TENANT.exists", false));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsOnlyFields("$.data.tenants", new String[]{"hr_tenant", "SGS_GLOBAL_TENANT"}));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void getAvailableTenantsAction_shouldFindAccessibleTenantsForUserAllowedToReadEachTenantData() throws Exception {
        createTenants(".kibana", (String[]) ALL_DEFINED_TENANTS.map((v0) -> {
            return v0.getName();
        }).with(USER_EACH_TENANT_READ.getName()).toArray(i -> {
            return new String[i];
        }));
        GenericRestClient restClient = cluster.getRestClient(USER_EACH_TENANT_READ, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/current_user/tenants", new Header[0]);
            log.debug("Response status '{}' and body '{}'.", Integer.valueOf(httpResponse.getStatusCode()), httpResponse.getBody());
            MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            DocNode bodyAsDocNode = httpResponse.getBodyAsDocNode();
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsOnlyFields("$.data.tenants", new String[]{"business_development_tenant", "sales_tenant", "quality_assurance_tenant", "finance_tenant", "SGS_GLOBAL_TENANT", "operations_tenant", "public_relations_tenant", "hr_tenant", "legal_tenant", "r&d_tenant", "information_technology_tenant"}));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.default_tenant", "SGS_GLOBAL_TENANT"));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.username", USER_EACH_TENANT_READ.getName()));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsNullValue("$.data.user_requested_tenant"));
            UnmodifiableIterator it = ALL_DEFINED_TENANTS.map((v0) -> {
                return v0.getName();
            }).iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str + ".read_access", true));
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str + ".write_access", false));
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str + ".exists", true));
            }
            MatcherAssert.assertThat(bodyAsDocNode, Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("$.data.tenants.user_each_tenant_read", "write_access")));
            MatcherAssert.assertThat(bodyAsDocNode, Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("$.data.tenants.user_each_tenant_read", "exists")));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.SGS_GLOBAL_TENANT.read_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.SGS_GLOBAL_TENANT.write_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.SGS_GLOBAL_TENANT.exists", false));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void getAvailableTenantsAction_shouldFindAccessibleTenantsForUserAllowedToWriteEachTenantData() throws Exception {
        String[] strArr = (String[]) ALL_DEFINED_TENANTS.map((v0) -> {
            return v0.getName();
        }).with(USER_EACH_TENANT_WRITE.getName()).toArray(i -> {
            return new String[i];
        });
        createTenants(".kibana", strArr);
        List<String> list = Arrays.stream(strArr).filter(str -> {
            return !str.equals(USER_EACH_TENANT_WRITE.getName());
        }).toList();
        GenericRestClient restClient = cluster.getRestClient(USER_EACH_TENANT_WRITE, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/current_user/tenants", new Header[0]);
            log.debug("Response status '{}' and body '{}'.", Integer.valueOf(httpResponse.getStatusCode()), httpResponse.getBody());
            MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            DocNode bodyAsDocNode = httpResponse.getBodyAsDocNode();
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsOnlyFields("$.data.tenants", new String[]{"business_development_tenant", "information_technology_tenant", "sales_tenant", "quality_assurance_tenant", "finance_tenant", "SGS_GLOBAL_TENANT", "operations_tenant", "public_relations_tenant", "hr_tenant", "legal_tenant", "r&d_tenant"}));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.default_tenant", "SGS_GLOBAL_TENANT"));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.username", USER_EACH_TENANT_WRITE.getName()));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsNullValue("$.data.user_requested_tenant"));
            for (String str2 : list) {
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str2 + ".read_access", true));
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str2 + ".write_access", true));
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str2 + ".exists", true));
            }
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void getAvailableTenantsAction_shouldFindAccessibleTenantsWhichDoesNotExist() throws Exception {
        String[] strArr = (String[]) ALL_DEFINED_TENANTS.map((v0) -> {
            return v0.getName();
        }).toArray(i -> {
            return new String[i];
        });
        GenericRestClient restClient = cluster.getRestClient(USER_EACH_TENANT_WRITE, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/current_user/tenants", new Header[0]);
            log.debug("Response status '{}' and body '{}'.", Integer.valueOf(httpResponse.getStatusCode()), httpResponse.getBody());
            MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            DocNode bodyAsDocNode = httpResponse.getBodyAsDocNode();
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsOnlyFields("$.data.tenants", new String[]{"business_development_tenant", "information_technology_tenant", "sales_tenant", "quality_assurance_tenant", "finance_tenant", "SGS_GLOBAL_TENANT", "operations_tenant", "public_relations_tenant", "hr_tenant", "legal_tenant", "r&d_tenant"}));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.default_tenant", "SGS_GLOBAL_TENANT"));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.username", USER_EACH_TENANT_WRITE.getName()));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsNullValue("$.data.user_requested_tenant"));
            MatcherAssert.assertThat(bodyAsDocNode, Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("$.data.tenants.user_each_tenant_write", "read_access")));
            MatcherAssert.assertThat(bodyAsDocNode, Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("$.data.tenants.user_each_tenant_write", "write_access")));
            MatcherAssert.assertThat(bodyAsDocNode, Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("$.data.tenants.user_each_tenant_write", "exists")));
            for (String str : strArr) {
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str + ".read_access", true));
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str + ".write_access", true));
                MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants." + str + ".exists", false));
            }
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void getAvailableTenantsAction_shouldReturnInformationIfTenantIsAccessibleAndExist() throws Exception {
        createTenants(".kibana", HR_TENANT.getName(), FINANCE_TENANT.getName(), PR_TENANT.getName(), QA_TENANT.getName());
        GenericRestClient restClient = cluster.getRestClient(USER_SOME_TENANT_ACCESS, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/current_user/tenants", new Header[0]);
            log.debug("Response status '{}' and body '{}'.", Integer.valueOf(httpResponse.getStatusCode()), httpResponse.getBody());
            MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            DocNode bodyAsDocNode = httpResponse.getBodyAsDocNode();
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsOnlyFields("$.data.tenants", new String[]{"sales_tenant", "quality_assurance_tenant", "finance_tenant", "SGS_GLOBAL_TENANT", "public_relations_tenant", "hr_tenant"}));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.default_tenant", "SGS_GLOBAL_TENANT"));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.username", USER_SOME_TENANT_ACCESS.getName()));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsNullValue("$.data.user_requested_tenant"));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.public_relations_tenant.write_access", false));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.public_relations_tenant.exists", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.quality_assurance_tenant.write_access", false));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.quality_assurance_tenant.exists", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.hr_tenant.write_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.hr_tenant.exists", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.finance_tenant.write_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.finance_tenant.exists", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.sales_tenant.write_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.sales_tenant.exists", false));
            MatcherAssert.assertThat(bodyAsDocNode, Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("$.data.tenants.user_some_tenant_access", "write_access")));
            MatcherAssert.assertThat(bodyAsDocNode, Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("$.data.tenants.user_some_tenant_access", "exists")));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.SGS_GLOBAL_TENANT.read_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.SGS_GLOBAL_TENANT.write_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.SGS_GLOBAL_TENANT.exists", false));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void getAvailableTenantsAction_shouldNotBeAccessibleForFrontendServerUser() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(FRONTEND_SERVER_USER, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/current_user/tenants", new Header[0]);
            log.debug("Response status '{}' and body '{}'.", Integer.valueOf(httpResponse.getStatusCode()), httpResponse.getBody());
            MatcherAssert.assertThat(httpResponse, RestMatchers.isForbidden());
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void getAvailableTenantsAction_shouldReturnUnauthorized_whenUserDoesNotHaveAccessToAnyTenantAndDefaultTenantCannotBeDetermined() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(USER_WITH_ACCESS_ONLY_TO_GLOBAL_TENANT, new Header[0]);
        try {
            GenericRestClient adminCertRestClient = cluster.getAdminCertRestClient();
            try {
                GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/current_user/tenants", new Header[0]);
                MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
                MatcherAssert.assertThat(httpResponse.getBodyAsDocNode(), DocNodeMatchers.containsValue("$.data.default_tenant", "SGS_GLOBAL_TENANT"));
                cluster.callAndRestoreConfig(FeMultiTenancyConfig.TYPE, () -> {
                    GenericRestClient.HttpResponse httpResponse2 = adminCertRestClient.get("/_searchguard/config/fe_multi_tenancy", new Header[0]);
                    MatcherAssert.assertThat(httpResponse2.getBody(), httpResponse2, RestMatchers.isOk());
                    GenericRestClient.HttpResponse putJson = adminCertRestClient.putJson("/_searchguard/config/fe_multi_tenancy", httpResponse2.getBodyAsDocNode().getAsNode("content").with("global_tenant_enabled", false));
                    MatcherAssert.assertThat(putJson.getBody(), putJson, RestMatchers.isOk());
                    GenericRestClient.HttpResponse httpResponse3 = restClient.get("/_searchguard/current_user/tenants", new Header[0]);
                    log.debug("Response status '{}' and body '{}'.", Integer.valueOf(httpResponse3.getStatusCode()), httpResponse3.getBody());
                    MatcherAssert.assertThat(httpResponse3.getBody(), Integer.valueOf(httpResponse3.getStatusCode()), Matchers.equalTo(401));
                    MatcherAssert.assertThat(httpResponse3.getBodyAsDocNode(), DocNodeMatchers.containsValue("$.message", "Cannot determine default tenant for current user"));
                    return null;
                });
                if (adminCertRestClient != null) {
                    adminCertRestClient.close();
                }
                if (restClient != null) {
                    restClient.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldDetectThatGlobalTenantExist() throws Exception {
        createTenants(".kibana", "SGS_GLOBAL_TENANT");
        GenericRestClient restClient = cluster.getRestClient(USER_SINGLE_TENANT, new Header[]{new BasicHeader("sg_tenant", "test_tenant")});
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/current_user/tenants", new Header[0]);
            log.debug("Response status '{}' and body '{}'.", Integer.valueOf(httpResponse.getStatusCode()), httpResponse.getBody());
            MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            DocNode bodyAsDocNode = httpResponse.getBodyAsDocNode();
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.SGS_GLOBAL_TENANT.read_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.SGS_GLOBAL_TENANT.write_access", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.data.tenants.SGS_GLOBAL_TENANT.exists", true));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void tenantIndexMappingsExtender_shouldAddSgTenantFieldToMappingsWhenAllKibanaIndicesExist() {
        removeKibanaRelatedIndices();
        this.multitenancyActivationService.activate();
        MatcherAssert.assertThat(getKibanaIndicesMappings().getMappings(), Matchers.anEmptyMap());
        createKibanaIndicesAndAliases();
        this.multitenancyActivationService.activate();
        GetMappingsResponse kibanaIndicesMappings = getKibanaIndicesMappings();
        MatcherAssert.assertThat(kibanaIndicesMappings.getMappings().keySet(), Matchers.containsInAnyOrder(new String[]{".kibana_1.2.3", ".kibana_analytics_1.2.3", ".kibana_ingest_1.2.3", ".kibana_security_solution_1.2.3", ".kibana_alerting_cases_1.2.3"}));
        Iterator it = kibanaIndicesMappings.getMappings().values().iterator();
        while (it.hasNext()) {
            DocNode wrap = DocNode.wrap(((MappingMetadata) it.next()).sourceAsMap());
            MatcherAssert.assertThat(wrap, Matchers.hasKey("properties"));
            MatcherAssert.assertThat(wrap.getAsNode("properties"), Matchers.hasKey("sg_tenant"));
            MatcherAssert.assertThat(wrap.getAsNode("properties").getAsNode("sg_tenant"), Matchers.equalTo(DocNode.of("type", "keyword")));
        }
        this.multitenancyActivationService.activate();
        GetMappingsResponse kibanaIndicesMappings2 = getKibanaIndicesMappings();
        MatcherAssert.assertThat(kibanaIndicesMappings2.getMappings().keySet(), Matchers.containsInAnyOrder(new String[]{".kibana_1.2.3", ".kibana_analytics_1.2.3", ".kibana_ingest_1.2.3", ".kibana_security_solution_1.2.3", ".kibana_alerting_cases_1.2.3"}));
        Iterator it2 = kibanaIndicesMappings2.getMappings().values().iterator();
        while (it2.hasNext()) {
            DocNode wrap2 = DocNode.wrap(((MappingMetadata) it2.next()).sourceAsMap());
            MatcherAssert.assertThat(wrap2, Matchers.hasKey("properties"));
            MatcherAssert.assertThat(wrap2.getAsNode("properties"), Matchers.hasKey("sg_tenant"));
            MatcherAssert.assertThat(wrap2.getAsNode("properties").getAsNode("sg_tenant"), Matchers.equalTo(DocNode.of("type", "keyword")));
        }
    }

    @Test
    public void tenantIndexMappingsExtender_shouldAddSgTenantFieldToMappingsWhenSomeKibaneRelatedIndicesDoesNotExist() {
        removeKibanaRelatedIndices();
        createKibanaIndicesAndAliases(".kibana", ".kibana_analytics");
        this.multitenancyActivationService.activate();
        GetMappingsResponse kibanaIndicesMappings = getKibanaIndicesMappings();
        MatcherAssert.assertThat(kibanaIndicesMappings.getMappings().keySet(), Matchers.containsInAnyOrder(new String[]{".kibana_1.2.3", ".kibana_analytics_1.2.3"}));
        Iterator it = kibanaIndicesMappings.getMappings().values().iterator();
        while (it.hasNext()) {
            DocNode wrap = DocNode.wrap(((MappingMetadata) it.next()).sourceAsMap());
            MatcherAssert.assertThat(wrap, Matchers.hasKey("properties"));
            MatcherAssert.assertThat(wrap.getAsNode("properties"), Matchers.hasKey("sg_tenant"));
            MatcherAssert.assertThat(wrap.getAsNode("properties").getAsNode("sg_tenant"), Matchers.equalTo(DocNode.of("type", "keyword")));
        }
    }

    public void createTenants(String str, String... strArr) {
        Client internalNodeClient = cluster.getInternalNodeClient();
        for (String str2 : strArr) {
            ImmutableMap of = ImmutableMap.of("type", "space");
            String str3 = "space:default";
            if (!"SGS_GLOBAL_TENANT".equals(str2)) {
                String internalTenantName = TenantManager.toInternalTenantName(str2);
                of = of.with("sg_tenant", internalTenantName);
                str3 = str3 + "__sg_ten__" + internalTenantName;
            }
            MatcherAssert.assertThat(((DocWriteResponse) internalNodeClient.index(new IndexRequest(str).id(str3).source(of).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE)).actionGet()).status(), Matchers.equalTo(RestStatus.CREATED));
        }
    }

    private void removeKibanaRelatedIndices() {
        MatcherAssert.assertThat(Boolean.valueOf(((AcknowledgedResponse) cluster.getInternalNodeClient().admin().indices().delete(new DeleteIndexRequest(".kibana*")).actionGet()).isAcknowledged()), Matchers.equalTo(true));
    }

    private GetMappingsResponse getKibanaIndicesMappings() {
        return (GetMappingsResponse) cluster.getInternalNodeClient().admin().indices().getMappings(new GetMappingsRequest().indices(new String[]{".kibana*"})).actionGet();
    }

    private void createKibanaIndicesAndAliases(String... strArr) {
        Client internalNodeClient = cluster.getInternalNodeClient();
        IndicesAliasesRequest indicesAliasesRequest = new IndicesAliasesRequest();
        for (String str : strArr) {
            String str2 = str + "_1.2.3";
            MatcherAssert.assertThat(Boolean.valueOf(((CreateIndexResponse) internalNodeClient.admin().indices().create(new CreateIndexRequest(str2)).actionGet()).isAcknowledged()), Matchers.equalTo(true));
            indicesAliasesRequest.addAliasAction(IndicesAliasesRequest.AliasActions.add().alias(str).index(str2));
        }
        MatcherAssert.assertThat(Boolean.valueOf(((AcknowledgedResponse) internalNodeClient.admin().indices().aliases(indicesAliasesRequest).actionGet()).isAcknowledged()), Matchers.equalTo(true));
    }

    private void createKibanaIndicesAndAliases() {
        createKibanaIndicesAndAliases(TenantRepository.FRONTEND_MULTI_TENANCY_ALIASES);
    }
}
