package com.floragunn.searchguard.enterprise.femt.tenants;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.searchguard.authz.TenantManager;
import com.floragunn.searchguard.enterprise.femt.MultiTenancyAuthorizationFilterTest;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.floragunn.searchsupport.junit.matcher.DocNodeMatchers;
import org.apache.http.Header;
import org.apache.http.message.BasicHeader;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.admin.indices.alias.Alias;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexResponse;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.rest.RestStatus;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/femt/tenants/DashboardAccessByReadOnlyUserTest.class */
public class DashboardAccessByReadOnlyUserTest {
    private static final String FRONTEND_INDEX = ".kibana";
    private static final Logger log = LogManager.getLogger(DashboardAccessByReadOnlyUserTest.class);
    private static final TestSgConfig.User FRONTEND_SERVER_USER = new TestSgConfig.User("kibana_server");
    private static final TestSgConfig.Tenant HR_TENANT = new TestSgConfig.Tenant("hr_tenant");
    private static final TestSgConfig.User USER_READ_ONLY_TENANT = new TestSgConfig.User("user_read_only_tenant").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("hr_tenant_read_only").tenantPermission(new String[]{"SGS_KIBANA_ALL_READ"}).on(new String[]{HR_TENANT.getName()})});

    @ClassRule
    public static LocalCluster.Embedded cluster = new LocalCluster.Builder().sslEnabled().nodeSettings(new Object[]{"action.destructive_requires_name", false, "searchguard.unsupported.single_index_mt_enabled", true}).enterpriseModulesEnabled().roleMapping(new TestSgConfig.RoleMapping[]{new TestSgConfig.RoleMapping("SGS_KIBANA_USER").users(new String[]{USER_READ_ONLY_TENANT.getName()})}).users(new TestSgConfig.User[]{USER_READ_ONLY_TENANT}).frontendMultiTenancy(new TestSgConfig.FrontendMultiTenancy(true).index(".kibana").serverUser(FRONTEND_SERVER_USER.getName())).tenants(new TestSgConfig.Tenant[]{HR_TENANT}).embedded().build();

    @BeforeClass
    public static void createIndex() {
        Client internalNodeClient = cluster.getInternalNodeClient();
        MatcherAssert.assertThat(Boolean.valueOf(((CreateIndexResponse) internalNodeClient.admin().indices().create(new CreateIndexRequest(MultiTenancyAuthorizationFilterTest.FRONTEND_MAIN_INDEX).settings(Settings.builder().put("index.hidden", true)).alias(new Alias(".kibana_8.9.0")).alias(new Alias(".kibana")).mapping(DocNode.of("_doc", DocNode.of("properties", DocNode.of("sg_tenant", DocNode.of("type", "keyword")))))).actionGet()).isAcknowledged()), Matchers.equalTo(true));
        MatcherAssert.assertThat(((DocWriteResponse) internalNodeClient.index(new IndexRequest(".kibana").source(ImmutableMap.of("sg_tenant", TenantManager.toInternalTenantName(HR_TENANT.getName()))).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE)).actionGet()).status(), Matchers.equalTo(RestStatus.CREATED));
    }

    @Test
    public void shouldHavePermissionToLegacyUriAliasUpdate() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(USER_READ_ONLY_TENANT, new Header[]{new BasicHeader("sg_tenant", HR_TENANT.getName())});
        try {
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_bulk", "{\"update\":{\"_id\":\"legacy-url-alias:default:dashboard:d90bca50-0910-11ef-ab4b-bf505c6701d0\",\"_index\":\".kibana_8.9.0\",\"_source\":true}}\n{\"script\":{\"source\":\"\\n            if (ctx._source[params.type].disabled != true) {\\n              if (ctx._source[params.type].resolveCounter == null) {\\n                ctx._source[params.type].resolveCounter = 1;\\n              }\\n              else {\\n                ctx._source[params.type].resolveCounter += 1;\\n              }\\n              ctx._source[params.type].lastResolved = params.time;\\n              ctx._source.updated_at = params.time;\\n            }\\n          \",\"lang\":\"painless\",\"params\":{\"type\":\"legacy-url-alias\",\"time\":\"2024-05-04T12:27:03.048Z\"}}}\n{\"update\":{\"_id\":\"legacy-url-alias:default:index-pattern:e4275435-dba8-4dbb-882f-509295543b89\",\"_index\":\".kibana_8.9.0\",\"_source\":true}}\n{\"script\":{\"source\":\"\\n            if (ctx._source[params.type].disabled != true) {\\n              if (ctx._source[params.type].resolveCounter == null) {\\n                ctx._source[params.type].resolveCounter = 1;\\n              }\\n              else {\\n                ctx._source[params.type].resolveCounter += 1;\\n              }\\n              ctx._source[params.type].lastResolved = params.time;\\n              ctx._source.updated_at = params.time;\\n            }\\n          \",\"lang\":\"painless\",\"params\":{\"type\":\"legacy-url-alias\",\"time\":\"2024-05-04T12:27:03.048Z\"}}}\n", new Header[0]);
            log.debug("Response status '{}', and body '{}'", Integer.valueOf(postJson.getStatusCode()), postJson.getBody());
            MatcherAssert.assertThat(Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            DocNode bodyAsDocNode = postJson.getBodyAsDocNode();
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.errors", true));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.items[0].update.status", 404));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.items[0].update.error.type", "document_missing_exception"));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.items[0].update._id", "legacy-url-alias:default:dashboard:d90bca50-0910-11ef-ab4b-bf505c6701d0"));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.items[1].update.status", 404));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.items[1].update.error.type", "document_missing_exception"));
            MatcherAssert.assertThat(bodyAsDocNode, DocNodeMatchers.containsValue("$.items[1].update._id", "legacy-url-alias:default:index-pattern:e4275435-dba8-4dbb-882f-509295543b89"));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
