package com.floragunn.searchguard.authtoken;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.searchguard.authtoken.api.CreateAuthTokenRequest;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.RestMatchers;
import com.floragunn.searchguard.test.TestComponentTemplate;
import com.floragunn.searchguard.test.TestData;
import com.floragunn.searchguard.test.TestDataStream;
import com.floragunn.searchguard.test.TestIndexTemplate;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.cluster.JavaSecurityTestSetup;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.floragunn.searchsupport.junit.matcher.DocNodeMatchers;
import java.util.Collections;
import org.apache.http.Header;
import org.apache.http.message.BasicHeader;
import org.elasticsearch.common.settings.Settings;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/authtoken/AuthTokenDlsIntTest.class */
public class AuthTokenDlsIntTest {

    @ClassRule
    public static JavaSecurityTestSetup javaSecurity = new JavaSecurityTestSetup();
    static final int DOC_COUNT = 200;
    static final TestData TEST_DATA = TestData.documentCount(DOC_COUNT).get();
    static final String DATA_STREAM = "ds_logs";
    static final TestDataStream TEST_DATA_STREAM = new TestDataStream.Builder().name(DATA_STREAM).documentCount(DOC_COUNT).build();
    static final TestSgConfig.User ADMIN = new TestSgConfig.User("admin").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("all_access").clusterPermissions(new String[]{"*"}).indexPermissions(new String[]{"*"}).on(new String[]{"*"}).aliasPermissions(new String[]{"*"}).on(new String[]{"*"}).dataStreamPermissions(new String[]{"*"}).on(new String[]{"*"})});
    static final String INDEX = "logs";
    static final TestSgConfig.User DEPT_A_USER = new TestSgConfig.User("dept_a").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("dept_a").indexPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("prefix.dept.value", "dept_a")).on(new String[]{INDEX}).clusterPermissions(new String[]{"*"})});
    static final TestSgConfig.User DEPT_D_USER = new TestSgConfig.User("dept_d").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("dept_d").indexPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("term.dept.value", "dept_d")).on(new String[]{INDEX}).clusterPermissions(new String[]{"*"})});
    static final String INDEX_ALIAS = "logs_alias";
    static final TestSgConfig.User DEPT_D_VIA_ALIAS_USER = new TestSgConfig.User("dept_d_via_alias").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("dept_d_via_alias").aliasPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("term.dept.value", "dept_d")).on(new String[]{INDEX_ALIAS}).clusterPermissions(new String[]{"*"})});
    static final TestSgConfig.User DEPT_D_DATA_STREAM_USER = new TestSgConfig.User("dept_d_ds").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("dept_d_ds").dataStreamPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("term.dept.value", "dept_d")).on(new String[]{DATA_STREAM}).clusterPermissions(new String[]{"*"})});
    static final TestSgConfig.User DEPT_D_TERMS_LOOKUP_USER = new TestSgConfig.User("dept_d_terms_lookup_user").roles(new TestSgConfig.Role[]{new TestSgConfig.Role("dept_d").indexPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("terms", DocNode.of("dept", DocNode.of("index", "user_dept_terms_lookup", "id", "${user.name}", "path", "dept")))).on(new String[]{INDEX}).clusterPermissions(new String[]{"*"})});
    static final TestSgConfig.Role ROLE_WITH_DLS_FLS_FM_RULES_ON_INDEX = new TestSgConfig.Role("dls_fls_fm_role").clusterPermissions(new String[]{"*"}).indexPermissions(new String[]{"SGS_READ"}).dls(DocNode.of("term.dept.value", "dept_d")).fls(new String[]{"source_ip", "dest_ip", "dept"}).maskedFields(new String[]{"dest_ip"}).on(new String[]{INDEX});
    static final TestSgConfig.User DLS_FLS_FM_USER = new TestSgConfig.User("dls_fls_fm").roles(new String[]{ROLE_WITH_DLS_FLS_FM_RULES_ON_INDEX.getName()});
    static final TestSgConfig.Authc AUTHC = new TestSgConfig.Authc(new TestSgConfig.Authc.Domain[]{new TestSgConfig.Authc.Domain("basic/internal_users_db")});
    static final TestSgConfig.DlsFls DLSFLS = new TestSgConfig.DlsFls().metrics("detailed");
    static final TestSgConfig.AuthTokenService AUTH_TOKEN_SERVICE = new TestSgConfig.AuthTokenService().enabled(true).jwtSigningKeyHs512(com.floragunn.searchguard.enterprise.auth.oidc.TestJwk.OCT_1_K);

    @ClassRule
    public static LocalCluster cluster = new LocalCluster.Builder().singleNode().sslEnabled().enterpriseModulesEnabled().authc(AUTHC).dlsFls(DLSFLS).roles(new TestSgConfig.Role[]{ROLE_WITH_DLS_FLS_FM_RULES_ON_INDEX}).indexTemplates(new TestIndexTemplate[]{new TestIndexTemplate("ds_test", new String[]{"ds_*"}).dataStream().composedOf(new TestComponentTemplate[]{TestComponentTemplate.DATA_STREAM_MINIMAL})}).dataStreams(new TestDataStream[]{TEST_DATA_STREAM}).authzDebug(true).authTokenService(AUTH_TOKEN_SERVICE).users(new TestSgConfig.User[]{ADMIN, DEPT_A_USER, DEPT_D_USER, DEPT_D_TERMS_LOOKUP_USER, DEPT_D_VIA_ALIAS_USER, DEPT_D_DATA_STREAM_USER, DLS_FLS_FM_USER}).resources((String) null).enableModule(AuthTokenModule.class).useExternalProcessCluster().build();

    @BeforeClass
    public static void setupTestData() throws Exception {
        GenericRestClient adminCertRestClient = cluster.getAdminCertRestClient();
        try {
            TEST_DATA.createIndex(adminCertRestClient, INDEX, Settings.builder().put("index.number_of_shards", 5).build());
            MatcherAssert.assertThat(adminCertRestClient.putJson("/user_dept_terms_lookup/_doc/dept_d_terms_lookup_user?refresh=true", DocNode.of("dept", "dept_d")), RestMatchers.isCreated());
            MatcherAssert.assertThat(adminCertRestClient.postJson("/_aliases", DocNode.of("actions", DocNode.array(new Object[]{DocNode.of("add", DocNode.of("index", INDEX, "alias", INDEX_ALIAS))})), new Header[0]), RestMatchers.isOk());
            if (adminCertRestClient != null) {
                adminCertRestClient.close();
            }
        } catch (Throwable th) {
            if (adminCertRestClient != null) {
                try {
                    adminCertRestClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void get_authtoken() throws Exception {
        TestData.TestDocument anyDocumentForDepartment = TEST_DATA.anyDocumentForDepartment("dept_a_1");
        String format = String.format("/%s/_doc/%s", INDEX, anyDocumentForDepartment.getId());
        TestData.TestDocument anyDocumentForDepartment2 = TEST_DATA.anyDocumentForDepartment("dept_d");
        String format2 = String.format("/%s/_doc/%s", INDEX, anyDocumentForDepartment2.getId());
        GenericRestClient restClient = cluster.getRestClient(DEPT_D_USER, new Header[0]);
        try {
            CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*'\n  allowed_actions: '*'"));
            createAuthTokenRequest.setTokenName("my_new_token");
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
            Assert.assertEquals(200L, postJson.getStatusCode());
            String asString = postJson.getBodyAsDocNode().getAsString("token");
            Assert.assertNotNull(asString);
            if (restClient != null) {
                restClient.close();
            }
            GenericRestClient restClient2 = cluster.getRestClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asString)});
            try {
                Assert.assertEquals(restClient2.get(format, new Header[0]).getBody(), 404L, r0.getStatusCode());
                Assert.assertEquals(restClient2.get(format2, new Header[0]).getBody(), 200L, r0.getStatusCode());
                if (restClient2 != null) {
                    restClient2.close();
                }
                String format3 = String.format("/%s/_doc/%s", INDEX_ALIAS, anyDocumentForDepartment.getId());
                String format4 = String.format("/%s/_doc/%s", INDEX_ALIAS, anyDocumentForDepartment2.getId());
                GenericRestClient restClient3 = cluster.getRestClient(DEPT_D_VIA_ALIAS_USER, new Header[0]);
                try {
                    CreateAuthTokenRequest createAuthTokenRequest2 = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("alias_permissions:\n- alias_patterns: '*'\n  allowed_actions: '*'"));
                    createAuthTokenRequest2.setTokenName("my_new_token");
                    GenericRestClient.HttpResponse postJson2 = restClient3.postJson("/_searchguard/authtoken", createAuthTokenRequest2);
                    Assert.assertEquals(200L, postJson2.getStatusCode());
                    String asString2 = postJson2.getBodyAsDocNode().getAsString("token");
                    Assert.assertNotNull(asString2);
                    if (restClient3 != null) {
                        restClient3.close();
                    }
                    GenericRestClient restClient4 = cluster.getRestClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asString2)});
                    try {
                        Assert.assertEquals(restClient4.get(format3, new Header[0]).getBody(), 404L, r0.getStatusCode());
                        Assert.assertEquals(restClient4.get(format4, new Header[0]).getBody(), 200L, r0.getStatusCode());
                        if (restClient4 != null) {
                            restClient4.close();
                        }
                        String format5 = String.format("{\"query\":{\"ids\":{ \"values\": [\"%s\"]}}}", anyDocumentForDepartment.getId());
                        String format6 = String.format("{\"query\":{\"ids\":{ \"values\": [ \"%s\"]}}}", anyDocumentForDepartment2.getId());
                        String format7 = String.format("/%s/_search", DATA_STREAM);
                        GenericRestClient restClient5 = cluster.getRestClient(DEPT_D_DATA_STREAM_USER, new Header[0]);
                        try {
                            CreateAuthTokenRequest createAuthTokenRequest3 = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("data_stream_permissions:\n- data_stream_patterns: '*'\n  allowed_actions: '*'"));
                            createAuthTokenRequest3.setTokenName("my_new_token");
                            GenericRestClient.HttpResponse postJson3 = restClient5.postJson("/_searchguard/authtoken", createAuthTokenRequest3);
                            Assert.assertEquals(200L, postJson3.getStatusCode());
                            String asString3 = postJson3.getBodyAsDocNode().getAsString("token");
                            Assert.assertNotNull(asString3);
                            if (restClient5 != null) {
                                restClient5.close();
                            }
                            restClient4 = cluster.getRestClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asString3)});
                            try {
                                GenericRestClient.HttpResponse postJson4 = restClient4.postJson(format7, format5, new Header[0]);
                                MatcherAssert.assertThat(postJson4.getBodyAsDocNode(), DocNodeMatchers.docNodeSizeEqualTo("$.hits.hits", 0));
                                Assert.assertEquals(postJson4.getBody(), 200L, postJson4.getStatusCode());
                                GenericRestClient.HttpResponse postJson5 = restClient4.postJson(format7, format6, new Header[0]);
                                Assert.assertEquals(postJson5.getBody(), 200L, postJson5.getStatusCode());
                                MatcherAssert.assertThat(postJson5.getBodyAsDocNode(), DocNodeMatchers.docNodeSizeEqualTo("$.hits.hits", 1));
                                if (restClient4 != null) {
                                    restClient4.close();
                                }
                                restClient = cluster.getRestClient(ADMIN, new Header[0]);
                                try {
                                    Assert.assertEquals(restClient.get(format2, new Header[0]).getBody(), 200L, r0.getStatusCode());
                                    Assert.assertEquals(restClient.get(format3, new Header[0]).getBody(), 200L, r0.getStatusCode());
                                    Assert.assertEquals(restClient.postJson(format7, format5, new Header[0]).getBody(), 200L, r0.getStatusCode());
                                    if (restClient != null) {
                                        restClient.close();
                                    }
                                } finally {
                                }
                            } finally {
                            }
                        } finally {
                        }
                    } finally {
                    }
                } finally {
                    if (restClient3 != null) {
                        try {
                            restClient3.close();
                        } catch (Throwable th) {
                            th.addSuppressed(th);
                        }
                    }
                }
            } finally {
                if (restClient2 != null) {
                    try {
                        restClient2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            }
        } finally {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th3) {
                    th.addSuppressed(th3);
                }
            }
        }
    }

    /* JADX WARN: Finally extract failed */
    @Test
    public void roleChangesShouldNotAffectTokenWithFrozenPrivileges() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(DLS_FLS_FM_USER, new Header[0]);
        try {
            GenericRestClient adminCertRestClient = cluster.getAdminCertRestClient();
            try {
                try {
                    CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*'\n  allowed_actions: '*'"));
                    createAuthTokenRequest.setFreezePrivileges(true);
                    createAuthTokenRequest.setTokenName("my_new_token");
                    GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
                    MatcherAssert.assertThat(postJson, RestMatchers.isOk());
                    String asString = postJson.getBodyAsDocNode().getAsString("token");
                    MatcherAssert.assertThat(adminCertRestClient.putJson("/_searchguard/api/roles/" + ROLE_WITH_DLS_FLS_FM_RULES_ON_INDEX.getName(), DocNode.of("cluster_permissions", Collections.singletonList("*"), "index_permissions", DocNode.array(new Object[]{DocNode.of("index_patterns", Collections.singletonList(INDEX), "allowed_actions", Collections.singletonList("SGS_READ"))}))), RestMatchers.isOk());
                    TestData.TestDocument anyDocumentForDepartment = TEST_DATA.anyDocumentForDepartment("dept_d");
                    TestData.TestDocument anyDocumentForDepartment2 = TEST_DATA.anyDocumentForDepartment("dept_a_1");
                    MatcherAssert.assertThat(anyDocumentForDepartment, Matchers.notNullValue());
                    MatcherAssert.assertThat(anyDocumentForDepartment2, Matchers.notNullValue());
                    String str = "/logs/_doc/" + anyDocumentForDepartment.getId();
                    String str2 = "/logs/_doc/" + anyDocumentForDepartment2.getId();
                    GenericRestClient.HttpResponse httpResponse = restClient.get("/logs/_search?size=200", new Header[0]);
                    MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
                    MatcherAssert.assertThat(httpResponse.getBodyAsDocNode().findByJsonPath("$.hits.hits[*]._source.dept"), Matchers.not(Matchers.everyItem(Matchers.equalTo("dept_d"))));
                    GenericRestClient.HttpResponse httpResponse2 = restClient.get(str, new Header[0]);
                    MatcherAssert.assertThat(httpResponse2, RestMatchers.isOk());
                    MatcherAssert.assertThat(Integer.valueOf(httpResponse2.getBodyAsDocNode().getAsNode("_source").size()), Matchers.greaterThan(3));
                    MatcherAssert.assertThat(httpResponse2.getBodyAsDocNode(), DocNodeMatchers.containsValue("$._source.source_ip", anyDocumentForDepartment.getContent().get("source_ip")));
                    MatcherAssert.assertThat(httpResponse2.getBodyAsDocNode(), DocNodeMatchers.containsValue("$._source.dest_ip", anyDocumentForDepartment.getContent().get("dest_ip")));
                    MatcherAssert.assertThat(restClient.get(str2, new Header[0]), RestMatchers.isOk());
                    GenericRestClient restClient2 = cluster.getRestClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asString)});
                    try {
                        GenericRestClient.HttpResponse httpResponse3 = restClient2.get("/logs/_search?size=200", new Header[0]);
                        MatcherAssert.assertThat(httpResponse3, RestMatchers.isOk());
                        MatcherAssert.assertThat(httpResponse3.getBodyAsDocNode().findByJsonPath("$.hits.hits[*]._source.dept"), Matchers.everyItem(Matchers.equalTo("dept_d")));
                        GenericRestClient.HttpResponse httpResponse4 = restClient2.get(str, new Header[0]);
                        MatcherAssert.assertThat(httpResponse4, RestMatchers.isOk());
                        MatcherAssert.assertThat(httpResponse4.getBodyAsDocNode(), DocNodeMatchers.docNodeSizeEqualTo("$._source", 3));
                        MatcherAssert.assertThat(httpResponse4.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("$._source", "dept"));
                        MatcherAssert.assertThat(httpResponse4.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("$._source", "source_ip"));
                        MatcherAssert.assertThat(httpResponse4.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("$._source", "dest_ip"));
                        MatcherAssert.assertThat(httpResponse4.getBodyAsDocNode(), DocNodeMatchers.containsValue("$._source.source_ip", anyDocumentForDepartment.getContent().get("source_ip")));
                        MatcherAssert.assertThat(httpResponse4.getBodyAsDocNode(), Matchers.not(DocNodeMatchers.containsValue("$._source.dest_ip", anyDocumentForDepartment.getContent().get("dest_ip"))));
                        MatcherAssert.assertThat(restClient2.get(str2, new Header[0]), RestMatchers.isNotFound());
                        if (restClient2 != null) {
                            restClient2.close();
                        }
                        MatcherAssert.assertThat(adminCertRestClient.putJson("/_searchguard/api/roles/" + ROLE_WITH_DLS_FLS_FM_RULES_ON_INDEX.getName(), ROLE_WITH_DLS_FLS_FM_RULES_ON_INDEX), RestMatchers.isOk());
                        if (adminCertRestClient != null) {
                            adminCertRestClient.close();
                        }
                        if (restClient != null) {
                            restClient.close();
                        }
                    } catch (Throwable th) {
                        if (restClient2 != null) {
                            try {
                                restClient2.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                } finally {
                }
            } catch (Throwable th3) {
                MatcherAssert.assertThat(adminCertRestClient.putJson("/_searchguard/api/roles/" + ROLE_WITH_DLS_FLS_FM_RULES_ON_INDEX.getName(), ROLE_WITH_DLS_FLS_FM_RULES_ON_INDEX), RestMatchers.isOk());
                throw th3;
            }
        } catch (Throwable th4) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th5) {
                    th4.addSuppressed(th5);
                }
            }
            throw th4;
        }
    }
}
