package com.floragunn.searchguard.authtoken;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.searchguard.authtoken.api.CreateAuthTokenRequest;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.TestData;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.cluster.JavaSecurityTestSetup;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import org.apache.http.Header;
import org.apache.http.message.BasicHeader;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.common.settings.Settings;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;

@RunWith(Parameterized.class)
/* loaded from: input_file:com/floragunn/searchguard/authtoken/AuthTokenDlsIntTest.class */
public class AuthTokenDlsIntTest {
    static final String INDEX_NAME_PREFIX = "logs";
    static final String INDEX_NORMAL_MODE = "logs_normal_index_mode";
    static final String INDEX_LOGS_DB_MODE = "logs_logs_db_index_mode";
    private final String indexName;

    @ClassRule
    public static JavaSecurityTestSetup javaSecurity = new JavaSecurityTestSetup();
    static final int DOC_COUNT = 200;
    static final TestData TEST_DATA = TestData.documentCount(DOC_COUNT).timestampColumnName("@timestamp").get();
    static final TestSgConfig.User ADMIN = new TestSgConfig.User("admin").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("all_access").indexPermissions(new String[]{"*"}).on(new String[]{"*"}).clusterPermissions(new String[]{"*"})});
    static final String INDEX_PATTERN = "logs*";
    static final TestSgConfig.User DEPT_A_USER = new TestSgConfig.User("dept_a").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("dept_a").indexPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("prefix.dept.value", "dept_a")).on(new String[]{INDEX_PATTERN}).clusterPermissions(new String[]{"*"})});
    static final TestSgConfig.User DEPT_D_USER = new TestSgConfig.User("dept_d").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("dept_d").indexPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("term.dept.value", "dept_d")).on(new String[]{INDEX_PATTERN}).clusterPermissions(new String[]{"*"})});
    static final TestSgConfig.User DEPT_D_TERMS_LOOKUP_USER = new TestSgConfig.User("dept_d_terms_lookup_user").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("dept_d").indexPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("terms", DocNode.of("dept", DocNode.of("index", "user_dept_terms_lookup", "id", "${user.name}", "path", "dept")))).on(new String[]{INDEX_PATTERN}).clusterPermissions(new String[]{"*"})});
    static final TestSgConfig.Authc AUTHC = new TestSgConfig.Authc(new TestSgConfig.Authc.Domain[]{new TestSgConfig.Authc.Domain("basic/internal_users_db")});
    static final TestSgConfig.DlsFls DLSFLS = new TestSgConfig.DlsFls().useImpl("flx").metrics("detailed");
    static final TestSgConfig.AuthTokenService AUTH_TOKEN_SERVICE = new TestSgConfig.AuthTokenService().enabled(true).jwtSigningKeyHs512(com.floragunn.searchguard.enterprise.auth.oidc.TestJwk.OCT_1_K);

    @ClassRule
    public static LocalCluster cluster = new LocalCluster.Builder().sslEnabled().enterpriseModulesEnabled().authc(AUTHC).dlsFls(DLSFLS).authTokenService(AUTH_TOKEN_SERVICE).users(new TestSgConfig.User[]{ADMIN, DEPT_A_USER, DEPT_D_USER, DEPT_D_TERMS_LOOKUP_USER}).resources((String) null).enableModule(AuthTokenModule.class).build();

    public AuthTokenDlsIntTest(String str) {
        this.indexName = str;
    }

    @Parameterized.Parameters(name = "{0}")
    public static Object[] parameters() {
        return new Object[]{INDEX_NORMAL_MODE, INDEX_LOGS_DB_MODE};
    }

    @BeforeClass
    public static void setupTestData() {
        Client internalNodeClient = cluster.getInternalNodeClient();
        MatcherAssert.assertThat(TEST_DATA.createIndex(internalNodeClient, INDEX_NORMAL_MODE, Settings.builder().put("index.number_of_shards", 5).build()), Matchers.anyOf(Matchers.equalTo("normal"), Matchers.nullValue()));
        MatcherAssert.assertThat(TEST_DATA.createIndex(internalNodeClient, INDEX_LOGS_DB_MODE, Settings.builder().put("index.number_of_shards", 5).put("index.mode", "logsdb").build()), Matchers.equalTo("logsdb"));
        internalNodeClient.index(new IndexRequest("user_dept_terms_lookup").id("dept_d_terms_lookup_user").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(new Object[]{"dept", "dept_d"})).actionGet();
    }

    @Test
    public void get_authtoken() throws Exception {
        String str = "/" + this.indexName + "/_doc/" + TEST_DATA.anyDocumentForDepartment("dept_a_1").getId();
        String str2 = "/" + this.indexName + "/_doc/" + TEST_DATA.anyDocumentForDepartment("dept_d").getId();
        GenericRestClient restClient = cluster.getRestClient(DEPT_D_USER, new Header[0]);
        try {
            CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*'\n  allowed_actions: '*'"));
            createAuthTokenRequest.setTokenName("my_new_token");
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
            Assert.assertEquals(200L, postJson.getStatusCode());
            String asString = postJson.getBodyAsDocNode().getAsString("token");
            Assert.assertNotNull(asString);
            if (restClient != null) {
                restClient.close();
            }
            GenericRestClient restClient2 = cluster.getRestClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asString)});
            try {
                Assert.assertEquals(restClient2.get(str, new Header[0]).getBody(), 404L, r0.getStatusCode());
                Assert.assertEquals(restClient2.get(str2, new Header[0]).getBody(), 200L, r0.getStatusCode());
                if (restClient2 != null) {
                    restClient2.close();
                }
                restClient = cluster.getRestClient(ADMIN, new Header[0]);
                try {
                    Assert.assertEquals(restClient.get(str, new Header[0]).getBody(), 200L, r0.getStatusCode());
                    if (restClient != null) {
                        restClient.close();
                    }
                } finally {
                }
            } catch (Throwable th) {
                if (restClient2 != null) {
                    try {
                        restClient2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } finally {
        }
    }
}
