package com.floragunn.searchguard.authtoken;

import co.elastic.clients.elasticsearch._types.ElasticsearchException;
import co.elastic.clients.elasticsearch.core.SearchResponse;
import co.elastic.clients.elasticsearch.core.search.Hit;
import com.floragunn.codova.documents.BasicJsonPathDefaultConfiguration;
import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.DocReader;
import com.floragunn.codova.documents.DocumentParseException;
import com.floragunn.codova.documents.Format;
import com.floragunn.searchguard.authtoken.api.CreateAuthTokenRequest;
import com.floragunn.searchguard.client.RestHighLevelClient;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.cluster.JavaSecurityTestSetup;
import com.floragunn.searchguard.test.helper.cluster.JvmEmbeddedEsCluster;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.floragunn.searchsupport.junit.ThrowableAssert;
import com.floragunn.searchsupport.junit.matcher.ExceptionsMatchers;
import com.google.common.io.BaseEncoding;
import com.jayway.jsonpath.Configuration;
import com.jayway.jsonpath.JsonPath;
import com.jayway.jsonpath.Option;
import com.jayway.jsonpath.Predicate;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import org.apache.http.Header;
import org.apache.http.message.BasicHeader;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xcontent.XContentType;
import org.hamcrest.Matcher;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/authtoken/AuthTokenIntegrationTest.class */
public class AuthTokenIntegrationTest {
    private static String SGCONFIG = "_sg_meta:\n  type: \"config\"\n  config_version: 2\n\nsg_config:\n  dynamic:\n    auth_token_provider: \n      enabled: true\n      jwt_signing_key_hs512: \"eTDZjSqRD9Abhod9iqeGX_7o93a-eElTeXWAF6FmzQshmRIrPD-C9ET3pFjJ_IBrzmWIZDk8ig-X_PIyGmKsxNMsrU-0BNWF5gJq5xOp4rYTl8z66Tw9wr8tHLxLxgJqkLSuUCRBZvlZlQ7jNdhBBxgM-hdSSzsN1T33qdIwhrUeJ-KXI5yKUXHjoWFYb9tETbYQ4NvONowkCsXK_flp-E3F_OcKe_z5iVUszAV8QfCod1zhbya540kDejXCL6N_XMmhWJqum7UJ3hgf6DEtroPSnVpHt4iR5w9ArKK-IBgluPght03gNcoNqwz7p77TFbdOmUKF_PWy1bcdbaUoSg\"\n      jwt_aud: \"searchguard_tokenauth\"\n      max_validity: \"1y\"\n      max_tokens_per_user: 10\n      token_cache:\n        expire_after_write: 70m\n        max_size: 100\n    authc:\n      authentication_domain_basic_internal:\n        http_enabled: true\n        transport_enabled: true\n        order: 1\n        http_authenticator:\n          challenge: true\n          type: \"basic\"\n          config: {}\n        authentication_backend:\n          type: \"intern\"\n          config:\n            map_db_attrs_to_user_attrs:\n              index: test_attr_1.c\n              all: test_attr_1\n      sg_issued_jwt_auth_domain:\n        description: \"Authenticate via Json Web Tokens issued by Search Guard\"\n        http_enabled: true\n        transport_enabled: false\n        order: 0\n        http_authenticator:\n          type: sg_auth_token\n          challenge: false\n        authentication_backend:\n          type: sg_auth_token";
    static TestSgConfig sgConfig = new TestSgConfig().resources("authtoken").sgConfigSettings("", TestSgConfig.fromYaml(SGCONFIG), new Object[0]);
    private static Configuration JSON_PATH_CONFIG = BasicJsonPathDefaultConfiguration.defaultConfiguration().setOptions(new Option[]{Option.SUPPRESS_EXCEPTIONS});

    @ClassRule
    public static JavaSecurityTestSetup javaSecurity = new JavaSecurityTestSetup();

    @ClassRule
    public static LocalCluster.Embedded cluster = new LocalCluster.Builder().nodeSettings(new Object[]{"searchguard.restapi.roles_enabled.0", "sg_admin"}).resources("authtoken").sslEnabled().sgConfig(sgConfig).enterpriseModulesEnabled().enableModule(AuthTokenModule.class).embedded().build();

    @BeforeClass
    public static void setupTestData() {
        Client internalNodeClient = cluster.getInternalNodeClient();
        internalNodeClient.index(new IndexRequest("pub_test_deny").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "not_allowed_from_token"})).actionGet();
        internalNodeClient.index(new IndexRequest("pub_test_allow_because_from_token").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "allowed"})).actionGet();
        internalNodeClient.index(new IndexRequest("user_attr_foo").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "allowed"})).actionGet();
        internalNodeClient.index(new IndexRequest("user_attr_qux").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "not_allowed"})).actionGet();
        internalNodeClient.index(new IndexRequest("dls_user_attr").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "allowed", "a", "foo"})).actionGet();
        internalNodeClient.index(new IndexRequest("dls_user_attr").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "not_allowed", "a", "qux"})).actionGet();
    }

    @Test
    public void tokenWithDefaultSigningKeyTest() throws Exception {
        try {
            GenericRestClient restClient = cluster.getRestClient("spock", "spock", new Header[0]);
            try {
                CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
                createAuthTokenRequest.setTokenName("token_with_configured_signing_key");
                GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
                MatcherAssert.assertThat(postJson.getBody(), Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
                String asString = postJson.getBodyAsDocNode().getAsString("token");
                MatcherAssert.assertThat(asString, Matchers.notNullValue());
                if (restClient != null) {
                    restClient.close();
                }
                DocNode updateAuthTokenServiceConfig = updateAuthTokenServiceConfig(DocNode.of("enabled", true));
                MatcherAssert.assertThat(updateAuthTokenServiceConfig.get("jwt_signing_key"), Matchers.nullValue());
                MatcherAssert.assertThat(updateAuthTokenServiceConfig.get("jwt_signing_key_hs512"), Matchers.nullValue());
                restClient = cluster.getRestClient("spock", "spock", new Header[0]);
                try {
                    CreateAuthTokenRequest createAuthTokenRequest2 = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
                    createAuthTokenRequest2.setTokenName("token_with_default_signing_key");
                    GenericRestClient.HttpResponse postJson2 = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest2);
                    System.out.println(postJson2.getBody());
                    MatcherAssert.assertThat(postJson2.getBody(), Integer.valueOf(postJson2.getStatusCode()), Matchers.equalTo(200));
                    String asString2 = postJson2.getBodyAsDocNode().getAsString("token");
                    MatcherAssert.assertThat(asString2, Matchers.notNullValue());
                    MatcherAssert.assertThat(getJwtHeaderValue(asString2, "alg"), Matchers.equalTo("HS512"));
                    if (restClient != null) {
                        restClient.close();
                    }
                    GenericRestClient restClient2 = cluster.getRestClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asString)});
                    try {
                        GenericRestClient.HttpResponse postJson3 = restClient2.postJson("/pub_test_allow_because_from_token/_search", "{\"query\":{\"match_all\":{}}}", new Header[0]);
                        MatcherAssert.assertThat(postJson3.getBody(), Integer.valueOf(postJson3.getStatusCode()), Matchers.equalTo(401));
                        GenericRestClient.HttpResponse postJson4 = restClient2.postJson("/pub_test_deny/_search", "{\"query\":{\"match_all\":{}}}", new Header[0]);
                        MatcherAssert.assertThat(postJson4.getBody(), Integer.valueOf(postJson4.getStatusCode()), Matchers.equalTo(401));
                        if (restClient2 != null) {
                            restClient2.close();
                        }
                        restClient2 = cluster.getRestClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asString2)});
                        try {
                            GenericRestClient.HttpResponse postJson5 = restClient2.postJson("/pub_test_allow_because_from_token/_search", "{\"query\":{\"match_all\":{}}}", new Header[0]);
                            MatcherAssert.assertThat(postJson5.getBody(), Integer.valueOf(postJson5.getStatusCode()), Matchers.equalTo(200));
                            GenericRestClient.HttpResponse postJson6 = restClient2.postJson("/pub_test_deny/_search", "{\"query\":{\"match_all\":{}}}", new Header[0]);
                            MatcherAssert.assertThat(postJson6.getBody(), Integer.valueOf(postJson6.getStatusCode()), Matchers.equalTo(403));
                            if (restClient2 != null) {
                                restClient2.close();
                            }
                            MatcherAssert.assertThat(updateAuthTokenServiceConfig(DocNode.parse(Format.YAML).from(SGCONFIG).findSingleNodeByJsonPath("sg_config.dynamic.auth_token_provider")), Matchers.anyOf(Matchers.hasEntry(Matchers.equalTo("jwt_signing_key"), Matchers.notNullValue()), Matchers.hasEntry(Matchers.equalTo("jwt_signing_key_hs512"), Matchers.notNullValue())));
                        } finally {
                        }
                    } finally {
                    }
                } finally {
                }
            } finally {
            }
        } catch (Throwable th) {
            MatcherAssert.assertThat(updateAuthTokenServiceConfig(DocNode.parse(Format.YAML).from(SGCONFIG).findSingleNodeByJsonPath("sg_config.dynamic.auth_token_provider")), Matchers.anyOf(Matchers.hasEntry(Matchers.equalTo("jwt_signing_key"), Matchers.notNullValue()), Matchers.hasEntry(Matchers.equalTo("jwt_signing_key_hs512"), Matchers.notNullValue())));
            throw th;
        }
    }

    @Test
    public void basicTest() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("spock", "spock", new Header[0]);
        try {
            CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
            createAuthTokenRequest.setTokenName("my_new_token");
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
            MatcherAssert.assertThat(postJson.getBody(), Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            String asString = postJson.getBodyAsDocNode().getAsString("token");
            MatcherAssert.assertThat(asString, Matchers.notNullValue());
            MatcherAssert.assertThat(getJwtHeaderValue(asString, "alg"), Matchers.equalTo("HS512"));
            String jwtPayload = getJwtPayload(asString);
            Map readObject = DocReader.json().readObject(jwtPayload);
            MatcherAssert.assertThat(jwtPayload, (String) JsonPath.using(BasicJsonPathDefaultConfiguration.defaultConfiguration()).parse(readObject).read("sub", new Predicate[0]), Matchers.equalTo("spock"));
            MatcherAssert.assertThat(jwtPayload, JsonPath.using(JSON_PATH_CONFIG).parse(readObject).read("base.c", new Predicate[0]), Matchers.notNullValue());
            RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient("spock", "spock");
            try {
                SearchResponse search = restHighLevelClient.search("pub_test_allow_because_from_token");
                MatcherAssert.assertThat(Long.valueOf(search.hits().total().value()), Matchers.equalTo(1L));
                MatcherAssert.assertThat(((Map) ((Hit) search.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("allowed"));
                SearchResponse search2 = restHighLevelClient.search("pub_test_deny");
                MatcherAssert.assertThat(Long.valueOf(search2.hits().total().value()), Matchers.equalTo(1L));
                MatcherAssert.assertThat(((Map) ((Hit) search2.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("not_allowed_from_token"));
                if (restHighLevelClient != null) {
                    restHighLevelClient.close();
                }
                Iterator it = cluster.nodes().iterator();
                while (it.hasNext()) {
                    RestHighLevelClient restHighLevelClient2 = ((JvmEmbeddedEsCluster.Node) it.next()).getRestHighLevelClient(new BasicHeader("Authorization", "Bearer " + asString));
                    try {
                        SearchResponse search3 = restHighLevelClient2.search("pub_test_allow_because_from_token");
                        MatcherAssert.assertThat(Long.valueOf(search3.hits().total().value()), Matchers.equalTo(1L));
                        MatcherAssert.assertThat(((Map) ((Hit) search3.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("allowed"));
                        ThrowableAssert.assertThatThrown(() -> {
                            restHighLevelClient2.search("pub_test_deny");
                        }, new Matcher[]{ExceptionsMatchers.messageContainsMatcher("Insufficient permissions")});
                        if (restHighLevelClient2 != null) {
                            restHighLevelClient2.close();
                        }
                    } finally {
                    }
                }
                if (restClient != null) {
                    restClient.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void basicTestUnfrozenPrivileges() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("spock", "spock", new Header[0]);
        try {
            CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
            createAuthTokenRequest.setFreezePrivileges(false);
            createAuthTokenRequest.setTokenName("my_new_token_unfrozen_privileges");
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
            MatcherAssert.assertThat(postJson.getBody(), Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            String asString = postJson.getBodyAsDocNode().getAsString("token");
            MatcherAssert.assertThat(asString, Matchers.notNullValue());
            MatcherAssert.assertThat(getJwtHeaderValue(asString, "alg"), Matchers.equalTo("HS512"));
            String jwtPayload = getJwtPayload(asString);
            Map readObject = DocReader.json().readObject(jwtPayload);
            MatcherAssert.assertThat(jwtPayload, (String) JsonPath.using(BasicJsonPathDefaultConfiguration.defaultConfiguration()).parse(readObject).read("sub", new Predicate[0]), Matchers.equalTo("spock"));
            MatcherAssert.assertThat(jwtPayload, JsonPath.using(JSON_PATH_CONFIG).parse(readObject).read("base.c", new Predicate[0]), Matchers.nullValue());
            RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient("spock", "spock");
            try {
                SearchResponse search = restHighLevelClient.search("pub_test_allow_because_from_token");
                MatcherAssert.assertThat(Long.valueOf(search.hits().total().value()), Matchers.equalTo(1L));
                MatcherAssert.assertThat(((Map) ((Hit) search.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("allowed"));
                SearchResponse search2 = restHighLevelClient.search("pub_test_deny");
                MatcherAssert.assertThat(Long.valueOf(search2.hits().total().value()), Matchers.equalTo(1L));
                MatcherAssert.assertThat(((Map) ((Hit) search2.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("not_allowed_from_token"));
                if (restHighLevelClient != null) {
                    restHighLevelClient.close();
                }
                Iterator it = cluster.nodes().iterator();
                while (it.hasNext()) {
                    RestHighLevelClient restHighLevelClient2 = ((JvmEmbeddedEsCluster.Node) it.next()).getRestHighLevelClient(new BasicHeader("Authorization", "Bearer " + asString));
                    try {
                        SearchResponse search3 = restHighLevelClient2.search("pub_test_allow_because_from_token");
                        MatcherAssert.assertThat(Long.valueOf(search3.hits().total().value()), Matchers.equalTo(1L));
                        MatcherAssert.assertThat(((Map) ((Hit) search3.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("allowed"));
                        ThrowableAssert.assertThatThrown(() -> {
                            restHighLevelClient2.search("pub_test_deny");
                        }, new Matcher[]{ExceptionsMatchers.messageContainsMatcher("Insufficient permissions")});
                        if (restHighLevelClient2 != null) {
                            restHighLevelClient2.close();
                        }
                    } finally {
                    }
                }
                if (restClient != null) {
                    restClient.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void maxTokenCountTest() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("nagilum", "nagilum", new Header[0]);
        try {
            CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
            createAuthTokenRequest.setTokenName("my_new_token");
            for (int i = 0; i < 10; i++) {
                GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
                MatcherAssert.assertThat(postJson.getBody(), Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            }
            GenericRestClient.HttpResponse postJson2 = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
            MatcherAssert.assertThat(postJson2.getBody(), Integer.valueOf(postJson2.getStatusCode()), Matchers.equalTo(403));
            MatcherAssert.assertThat(postJson2.getBody(), postJson2.getBodyAsDocNode().findSingleNodeByJsonPath("error.root_cause[0].reason").toString(), Matchers.equalTo("Cannot create token. Token limit per user exceeded. Max number of allowed tokens is 10"));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void createTokenWithTokenForbidden() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("spock", "spock", new Header[0]);
        try {
            CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("cluster_permissions: '*'\nindex_permissions:\n- index_patterns: '*'\n  allowed_actions: '*'"));
            createAuthTokenRequest.setTokenName("my_new_token_with_with_i_am_trying_to_create_another_token");
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
            MatcherAssert.assertThat(postJson.getBody(), Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            String asString = postJson.getBodyAsDocNode().getAsString("token");
            MatcherAssert.assertThat(asString, Matchers.notNullValue());
            GenericRestClient restClient2 = cluster.getRestClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asString)});
            try {
                CreateAuthTokenRequest createAuthTokenRequest2 = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("cluster_permissions: '*'\nindex_permissions:\n- index_patterns: '*'\n  allowed_actions: '*'"));
                createAuthTokenRequest2.setTokenName("this_token_should_not_be_created");
                GenericRestClient.HttpResponse postJson2 = restClient2.postJson("/_searchguard/authtoken", createAuthTokenRequest2);
                MatcherAssert.assertThat(postJson2.getBody(), Integer.valueOf(postJson2.getStatusCode()), Matchers.equalTo(403));
                MatcherAssert.assertThat(postJson2.getBody(), postJson2.getBody(), Matchers.containsString("Insufficient permissions"));
                if (restClient2 != null) {
                    restClient2.close();
                }
                if (restClient != null) {
                    restClient.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void userAttrTest() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("picard", "picard", new Header[0]);
        try {
            CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: 'user_attr_*'\n  allowed_actions: '*'"));
            createAuthTokenRequest.setTokenName("my_new_token");
            System.out.println(createAuthTokenRequest.toJson());
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
            MatcherAssert.assertThat(postJson.getBody(), Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            String asString = postJson.getBodyAsDocNode().getAsString("token");
            MatcherAssert.assertThat(asString, Matchers.notNullValue());
            RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient("picard", "picard");
            try {
                SearchResponse search = restHighLevelClient.search("user_attr_foo");
                MatcherAssert.assertThat(Long.valueOf(search.hits().total().value()), Matchers.equalTo(1L));
                MatcherAssert.assertThat(((Map) ((Hit) search.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("allowed"));
                ThrowableAssert.assertThatThrown(() -> {
                    restHighLevelClient.search("user_attr_qux");
                }, new Matcher[]{ExceptionsMatchers.messageContainsMatcher("Insufficient permissions")});
                if (restHighLevelClient != null) {
                    restHighLevelClient.close();
                }
                RestHighLevelClient restHighLevelClient2 = cluster.getRestHighLevelClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asString)});
                try {
                    SearchResponse search2 = restHighLevelClient2.search("user_attr_foo");
                    MatcherAssert.assertThat(Long.valueOf(search2.hits().total().value()), Matchers.equalTo(1L));
                    MatcherAssert.assertThat(((Map) ((Hit) search2.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("allowed"));
                    ThrowableAssert.assertThatThrown(() -> {
                        restHighLevelClient2.search("user_attr_qux");
                    }, new Matcher[]{ExceptionsMatchers.messageContainsMatcher("Insufficient permissions")});
                    if (restHighLevelClient2 != null) {
                        restHighLevelClient2.close();
                    }
                    if (restClient != null) {
                        restClient.close();
                    }
                } finally {
                }
            } finally {
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void userAttrTestDls() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("picard", "picard", new Header[0]);
        try {
            CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*'\n  allowed_actions: '*'"));
            createAuthTokenRequest.setTokenName("my_new_token");
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
            MatcherAssert.assertThat(postJson.getBody(), Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            String asString = postJson.getBodyAsDocNode().getAsString("token");
            MatcherAssert.assertThat(asString, Matchers.notNullValue());
            RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient("admin", "admin");
            try {
                MatcherAssert.assertThat(Long.valueOf(restHighLevelClient.search("dls_user_attr").hits().total().value()), Matchers.equalTo(2L));
                if (restHighLevelClient != null) {
                    restHighLevelClient.close();
                }
                restHighLevelClient = cluster.getRestHighLevelClient("picard", "picard");
                try {
                    SearchResponse search = restHighLevelClient.search("dls_user_attr");
                    MatcherAssert.assertThat(Long.valueOf(search.hits().total().value()), Matchers.equalTo(1L));
                    MatcherAssert.assertThat(((Map) ((Hit) search.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("allowed"));
                    if (restHighLevelClient != null) {
                        restHighLevelClient.close();
                    }
                    RestHighLevelClient restHighLevelClient2 = cluster.getRestHighLevelClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asString)});
                    try {
                        SearchResponse search2 = restHighLevelClient2.search("dls_user_attr");
                        MatcherAssert.assertThat(Long.valueOf(search2.hits().total().value()), Matchers.equalTo(1L));
                        MatcherAssert.assertThat(((Map) ((Hit) search2.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("allowed"));
                        if (restHighLevelClient2 != null) {
                            restHighLevelClient2.close();
                        }
                        if (restClient != null) {
                            restClient.close();
                        }
                    } finally {
                    }
                } finally {
                }
            } finally {
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void revocationTest() throws Exception {
        RestHighLevelClient restHighLevelClient;
        GenericRestClient restClient = cluster.getRestClient("spock", "spock", new Header[0]);
        try {
            CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
            createAuthTokenRequest.setTokenName("my_new_token");
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
            MatcherAssert.assertThat(postJson.getBody(), Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            String asString = postJson.getBodyAsDocNode().getAsString("token");
            String asString2 = postJson.getBodyAsDocNode().getAsString("id");
            MatcherAssert.assertThat(asString, Matchers.notNullValue());
            MatcherAssert.assertThat(asString2, Matchers.notNullValue());
            Iterator it = cluster.nodes().iterator();
            while (it.hasNext()) {
                restHighLevelClient = ((JvmEmbeddedEsCluster.Node) it.next()).getRestHighLevelClient(new BasicHeader("Authorization", "Bearer " + asString));
                try {
                    SearchResponse search = restHighLevelClient.search("pub_test_allow_because_from_token");
                    MatcherAssert.assertThat(Long.valueOf(search.hits().total().value()), Matchers.equalTo(1L));
                    MatcherAssert.assertThat(((Map) ((Hit) search.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("allowed"));
                    ThrowableAssert.assertThatThrown(() -> {
                        restHighLevelClient.search("pub_test_deny");
                    }, new Matcher[]{ExceptionsMatchers.messageContainsMatcher("Insufficient permissions")});
                    if (restHighLevelClient != null) {
                        restHighLevelClient.close();
                    }
                } finally {
                }
            }
            GenericRestClient.HttpResponse delete = restClient.delete("/_searchguard/authtoken/" + asString2, new Header[0]);
            MatcherAssert.assertThat(delete.getBody(), Integer.valueOf(delete.getStatusCode()), Matchers.equalTo(200));
            Thread.sleep(100L);
            Iterator it2 = cluster.nodes().iterator();
            while (it2.hasNext()) {
                restHighLevelClient = ((JvmEmbeddedEsCluster.Node) it2.next()).getRestHighLevelClient(new BasicHeader("Authorization", "Bearer " + asString));
                try {
                    ElasticsearchException assertThatThrown = ThrowableAssert.assertThatThrown(() -> {
                        restHighLevelClient.search("pub_test_allow_because_from_token");
                    }, new Matcher[]{Matchers.instanceOf(ElasticsearchException.class)});
                    MatcherAssert.assertThat(assertThatThrown.getMessage(), Integer.valueOf(assertThatThrown.status()), Matchers.equalTo(Integer.valueOf(RestStatus.UNAUTHORIZED.getStatus())));
                    if (restHighLevelClient != null) {
                        restHighLevelClient.close();
                    }
                } finally {
                }
            }
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void revocationWithoutSpecialPrivsTest() throws Exception {
        RestHighLevelClient restHighLevelClient;
        LocalCluster.Embedded start = new LocalCluster.Builder().nodeSettings(new Object[]{"searchguard.restapi.roles_enabled.0", "sg_admin"}).resources("authtoken").sslEnabled().sgConfig(sgConfig.clone().sgConfigSettings("sg_config.dynamic.auth_token_provider.exclude_cluster_permissions", Collections.emptyList(), new Object[0])).enterpriseModulesEnabled().enableModule(AuthTokenModule.class).embedded().start();
        try {
            GenericRestClient restClient = start.getRestClient("spock", "spock", new Header[0]);
            try {
                start.getInternalNodeClient().index(new IndexRequest("pub_test_allow_because_from_token").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "allowed"})).actionGet();
                CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.totalWildcard());
                createAuthTokenRequest.setTokenName("my_new_token_without_special_privs");
                createAuthTokenRequest.setFreezePrivileges(false);
                GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest.toJson(), new Header[0]);
                MatcherAssert.assertThat(postJson.getBody(), Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
                String asString = postJson.getBodyAsDocNode().getAsString("token");
                String asString2 = postJson.getBodyAsDocNode().getAsString("id");
                MatcherAssert.assertThat(asString, Matchers.notNullValue());
                MatcherAssert.assertThat(asString2, Matchers.notNullValue());
                Iterator it = start.nodes().iterator();
                while (it.hasNext()) {
                    restHighLevelClient = ((JvmEmbeddedEsCluster.Node) it.next()).getRestHighLevelClient(new BasicHeader("Authorization", "Bearer " + asString));
                    try {
                        SearchResponse search = restHighLevelClient.search("pub_test_allow_because_from_token");
                        MatcherAssert.assertThat(Long.valueOf(search.hits().total().value()), Matchers.equalTo(1L));
                        MatcherAssert.assertThat(((Map) ((Hit) search.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("allowed"));
                        if (restHighLevelClient != null) {
                            restHighLevelClient.close();
                        }
                    } finally {
                    }
                }
                GenericRestClient.HttpResponse delete = restClient.delete("/_searchguard/authtoken/" + asString2, new Header[0]);
                MatcherAssert.assertThat(delete.getBody(), Integer.valueOf(delete.getStatusCode()), Matchers.equalTo(200));
                Thread.sleep(100L);
                Iterator it2 = start.nodes().iterator();
                while (it2.hasNext()) {
                    restHighLevelClient = ((JvmEmbeddedEsCluster.Node) it2.next()).getRestHighLevelClient(new BasicHeader("Authorization", "Bearer " + asString));
                    try {
                        ElasticsearchException assertThatThrown = ThrowableAssert.assertThatThrown(() -> {
                            restHighLevelClient.search("pub_test_allow_because_from_token");
                        }, new Matcher[]{Matchers.instanceOf(ElasticsearchException.class)});
                        MatcherAssert.assertThat(assertThatThrown.getMessage(), Integer.valueOf(assertThatThrown.status()), Matchers.equalTo(Integer.valueOf(RestStatus.UNAUTHORIZED.getStatus())));
                        if (restHighLevelClient != null) {
                            restHighLevelClient.close();
                        }
                    } finally {
                    }
                }
                if (restClient != null) {
                    restClient.close();
                }
                if (start != null) {
                    start.close();
                }
            } catch (Throwable th) {
                if (restClient != null) {
                    try {
                        restClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (Throwable th3) {
            if (start != null) {
                try {
                    start.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    @Test
    public void getAndSearchTest() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("spock", "spock", new Header[0]);
        try {
            GenericRestClient restClient2 = cluster.getRestClient("picard", "picard", new Header[0]);
            try {
                GenericRestClient restClient3 = cluster.getRestClient("admin", "admin", new Header[0]);
                try {
                    CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
                    createAuthTokenRequest.setTokenName("get_and_search_test_token");
                    GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
                    MatcherAssert.assertThat(postJson.getBody(), Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
                    createAuthTokenRequest.setTokenName("get_and_search_test_token_2");
                    GenericRestClient.HttpResponse postJson2 = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
                    MatcherAssert.assertThat(postJson2.getBody(), Integer.valueOf(postJson2.getStatusCode()), Matchers.equalTo(200));
                    createAuthTokenRequest.setTokenName("get_and_search_test_token_picard");
                    GenericRestClient.HttpResponse postJson3 = restClient2.postJson("/_searchguard/authtoken", createAuthTokenRequest);
                    MatcherAssert.assertThat(postJson3.getBody(), Integer.valueOf(postJson3.getStatusCode()), Matchers.equalTo(200));
                    String asString = postJson3.getBodyAsDocNode().getAsString("token");
                    GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authtoken/_search", new Header[0]);
                    MatcherAssert.assertThat(httpResponse.getBody(), Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(200));
                    MatcherAssert.assertThat(httpResponse.getBody(), httpResponse.getBody(), Matchers.not(Matchers.containsString("\"picard\"")));
                    GenericRestClient.HttpResponse postJson4 = restClient.postJson("/_searchguard/authtoken/_search", "{\n    \"query\": {\n        \"wildcard\": {\n            \"token_name\": {\n                \"value\": \"get_and_search_test_*\"\n            }\n        }\n    }\n}", new Header[0]);
                    MatcherAssert.assertThat(postJson4.getBody(), Integer.valueOf(postJson4.getStatusCode()), Matchers.equalTo(200));
                    DocNode bodyAsDocNode = postJson4.getBodyAsDocNode();
                    MatcherAssert.assertThat(postJson4.getBody(), bodyAsDocNode.getAsNode("hits", new String[]{"total", "value"}).toNumber(), Matchers.equalTo(2));
                    MatcherAssert.assertThat(postJson4.getBody(), bodyAsDocNode.findSingleNodeByJsonPath("hits.hits[0]._source.user_name").toString(), Matchers.equalTo("spock"));
                    MatcherAssert.assertThat(postJson4.getBody(), bodyAsDocNode.findSingleNodeByJsonPath("hits.hits[1]._source.user_name").toString(), Matchers.equalTo("spock"));
                    String asString2 = ((DocNode) bodyAsDocNode.getAsNode("hits").getAsListOfNodes("hits").get(0)).getAsString("_id");
                    String asString3 = ((DocNode) bodyAsDocNode.getAsNode("hits").getAsListOfNodes("hits").get(0)).getAsNode("_source").getAsString("token_name");
                    GenericRestClient.HttpResponse httpResponse2 = restClient.get("/_searchguard/authtoken/" + asString2, new Header[0]);
                    MatcherAssert.assertThat(httpResponse2.getBody(), httpResponse2.getBodyAsDocNode().getAsString("token_name"), Matchers.equalTo(asString3));
                    GenericRestClient.HttpResponse httpResponse3 = restClient.get("/_searchguard/authtoken/" + asString, new Header[0]);
                    MatcherAssert.assertThat(httpResponse3.getBody(), Integer.valueOf(httpResponse3.getStatusCode()), Matchers.equalTo(404));
                    GenericRestClient.HttpResponse postJson5 = restClient3.postJson("/_searchguard/authtoken/_search", "{\n    \"query\": {\n        \"wildcard\": {\n            \"token_name\": {\n                \"value\": \"get_and_search_test_*\"\n            }\n        }\n    }\n}", new Header[0]);
                    MatcherAssert.assertThat(postJson5.getBody(), postJson5.getBodyAsDocNode().get("hits", new String[]{"total", "value"}), Matchers.equalTo(3));
                    MatcherAssert.assertThat(postJson5.getBody(), postJson5.getBody(), Matchers.containsString("\"spock\""));
                    MatcherAssert.assertThat(postJson5.getBody(), postJson5.getBody(), Matchers.containsString("\"picard\""));
                    if (restClient3 != null) {
                        restClient3.close();
                    }
                    if (restClient2 != null) {
                        restClient2.close();
                    }
                    if (restClient != null) {
                        restClient.close();
                    }
                } catch (Throwable th) {
                    if (restClient3 != null) {
                        try {
                            restClient3.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                if (restClient2 != null) {
                    try {
                        restClient2.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                }
                throw th3;
            }
        } catch (Throwable th5) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th6) {
                    th5.addSuppressed(th6);
                }
            }
            throw th5;
        }
    }

    @Test
    public void encryptedAuthTokenTest() throws Exception {
        LocalCluster.Embedded start = new LocalCluster.Builder().resources("authtoken").sslEnabled().singleNode().sgConfig(new TestSgConfig().resources("authtoken").sgConfigSettings("", TestSgConfig.fromYaml("_sg_meta:\n  type: \"config\"\n  config_version: 2\n\nsg_config:\n  dynamic:\n    auth_token_provider: \n      enabled: true\n      jwt_signing_key_hs512: \"0c8YGg-YdAuOqIZFMoWm0INDnZhmZmTy3ovdZ3PDeJwAQ1qEYn_sivE0960sIKl8sRQnIti7-JEUeVfeJxgpBg==\"\n      jwt_encryption_key_a256kw: \"Z74PlpmePaZg2Ubm3ipD9QE4uX45GWAPwjMHCKpb6Xk=\"\n      jwt_aud: \"searchguard_tokenauth\"\n      max_validity: \"1y\"\n    authc:\n      authentication_domain_basic_internal:\n        http_enabled: true\n        transport_enabled: true\n        order: 1\n        http_authenticator:\n          challenge: true\n          type: \"basic\"\n          config: {}\n        authentication_backend:\n          type: \"intern\"\n          config:\n            map_db_attrs_to_user_attrs:\n              index: test_attr_1.c\n              all: test_attr_1\n      sg_issued_jwt_auth_domain:\n        description: \"Authenticate via Json Web Tokens issued by Search Guard\"\n        http_enabled: true\n        transport_enabled: false\n        order: 0\n        http_authenticator:\n          type: sg_auth_token\n          challenge: false\n        authentication_backend:\n          type: sg_auth_token"), new Object[0])).enterpriseModulesEnabled().enableModule(AuthTokenModule.class).embedded().start();
        try {
            GenericRestClient restClient = start.getRestClient("spock", "spock", new Header[0]);
            try {
                Client internalNodeClient = start.getInternalNodeClient();
                internalNodeClient.index(new IndexRequest("pub_test_deny").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "not_allowed_from_token"})).actionGet();
                internalNodeClient.index(new IndexRequest("pub_test_allow_because_from_token").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "allowed"})).actionGet();
                CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
                createAuthTokenRequest.setTokenName("my_new_token");
                System.out.println(createAuthTokenRequest.toJson());
                GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
                MatcherAssert.assertThat(postJson.getBody(), Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
                String asString = postJson.getBodyAsDocNode().getAsString("token");
                MatcherAssert.assertThat(asString, Matchers.notNullValue());
                MatcherAssert.assertThat(getJwtHeaderValue(asString, "alg"), Matchers.equalTo("A256KW"));
                MatcherAssert.assertThat(getJwtHeaderValue(asString, "enc"), Matchers.equalTo("A256CBC-HS512"));
                MatcherAssert.assertThat("JWT payload seems to be unencrypted because it contains the user name in clear text: " + getJwtPayload(asString), getJwtPayload(asString), Matchers.not(Matchers.containsString("spock")));
                RestHighLevelClient restHighLevelClient = start.getRestHighLevelClient("spock", "spock");
                try {
                    SearchResponse search = restHighLevelClient.search("pub_test_allow_because_from_token");
                    MatcherAssert.assertThat(Long.valueOf(search.hits().total().value()), Matchers.equalTo(1L));
                    MatcherAssert.assertThat(((Map) ((Hit) search.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("allowed"));
                    SearchResponse search2 = restHighLevelClient.search("pub_test_deny");
                    MatcherAssert.assertThat(Long.valueOf(search2.hits().total().value()), Matchers.equalTo(1L));
                    MatcherAssert.assertThat(((Map) ((Hit) search2.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("not_allowed_from_token"));
                    if (restHighLevelClient != null) {
                        restHighLevelClient.close();
                    }
                    RestHighLevelClient restHighLevelClient2 = start.getRestHighLevelClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asString)});
                    try {
                        SearchResponse search3 = restHighLevelClient2.search("pub_test_allow_because_from_token");
                        MatcherAssert.assertThat(Long.valueOf(search3.hits().total().value()), Matchers.equalTo(1L));
                        MatcherAssert.assertThat(((Map) ((Hit) search3.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("allowed"));
                        ThrowableAssert.assertThatThrown(() -> {
                            restHighLevelClient2.search("pub_test_deny");
                        }, new Matcher[]{ExceptionsMatchers.messageContainsMatcher("Insufficient permissions")});
                        if (restHighLevelClient2 != null) {
                            restHighLevelClient2.close();
                        }
                        if (restClient != null) {
                            restClient.close();
                        }
                        if (start != null) {
                            start.close();
                        }
                    } catch (Throwable th) {
                        if (restHighLevelClient2 != null) {
                            try {
                                restHighLevelClient2.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                } catch (Throwable th3) {
                    if (restHighLevelClient != null) {
                        try {
                            restHighLevelClient.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            } finally {
            }
        } catch (Throwable th5) {
            if (start != null) {
                try {
                    start.close();
                } catch (Throwable th6) {
                    th5.addSuppressed(th6);
                }
            }
            throw th5;
        }
    }

    @Test
    public void ecSignedAuthTokenTest() throws Exception {
        LocalCluster.Embedded start = new LocalCluster.Builder().resources("authtoken").sslEnabled().singleNode().sgConfig(new TestSgConfig().resources("authtoken").sgConfigSettings("", TestSgConfig.fromYaml("_sg_meta:\n  type: \"config\"\n  config_version: 2\n\nsg_config:\n  dynamic:\n    auth_token_provider: \n      enabled: true\n      jwt_signing_key: \n        kty: EC\n        d: \"1nlQeqOq48OPWiDkmOIXLF_XBWUe9LSznBvWzPI4Ggo\"\n        use: sig\n        crv: P-256\n        x: \"lBybOJZyK6r8Nx54Jn4cKoDUZgyOdLlsQ2EHk-7LStk\"\n        y: \"BwSiCmlnS1CDetg_iuxBZKkh6VTMrra0aIT9dBeoCZU\"\n        alg: ES256\n      jwt_aud: \"searchguard_tokenauth\"\n      max_validity: \"1y\"\n    authc:\n      authentication_domain_basic_internal:\n        http_enabled: true\n        transport_enabled: true\n        order: 1\n        http_authenticator:\n          challenge: true\n          type: \"basic\"\n          config: {}\n        authentication_backend:\n          type: \"intern\"\n          config:\n            map_db_attrs_to_user_attrs:\n              index: test_attr_1.c\n              all: test_attr_1\n      sg_issued_jwt_auth_domain:\n        description: \"Authenticate via Json Web Tokens issued by Search Guard\"\n        http_enabled: true\n        transport_enabled: false\n        order: 0\n        http_authenticator:\n          type: sg_auth_token\n          challenge: false\n        authentication_backend:\n          type: sg_auth_token"), new Object[0])).enterpriseModulesEnabled().enableModule(AuthTokenModule.class).embedded().start();
        try {
            GenericRestClient restClient = start.getRestClient("spock", "spock", new Header[0]);
            try {
                Client internalNodeClient = start.getInternalNodeClient();
                internalNodeClient.index(new IndexRequest("pub_test_deny").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "not_allowed_from_token"})).actionGet();
                internalNodeClient.index(new IndexRequest("pub_test_allow_because_from_token").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "allowed"})).actionGet();
                CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
                createAuthTokenRequest.setTokenName("my_new_token");
                System.out.println(createAuthTokenRequest.toJson());
                GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
                MatcherAssert.assertThat(postJson.getBody(), Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
                String asString = postJson.getBodyAsDocNode().getAsString("token");
                MatcherAssert.assertThat(asString, Matchers.notNullValue());
                MatcherAssert.assertThat(getJwtHeaderValue(asString, "alg"), Matchers.equalTo("ES256"));
                MatcherAssert.assertThat(getJwtPayload(asString), getJwtPayload(asString), Matchers.containsString("spock"));
                RestHighLevelClient restHighLevelClient = start.getRestHighLevelClient("spock", "spock");
                try {
                    SearchResponse search = restHighLevelClient.search("pub_test_allow_because_from_token");
                    MatcherAssert.assertThat(Long.valueOf(search.hits().total().value()), Matchers.equalTo(1L));
                    MatcherAssert.assertThat(((Map) ((Hit) search.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("allowed"));
                    SearchResponse search2 = restHighLevelClient.search("pub_test_deny");
                    MatcherAssert.assertThat(Long.valueOf(search2.hits().total().value()), Matchers.equalTo(1L));
                    MatcherAssert.assertThat(((Map) ((Hit) search2.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("not_allowed_from_token"));
                    if (restHighLevelClient != null) {
                        restHighLevelClient.close();
                    }
                    RestHighLevelClient restHighLevelClient2 = start.getRestHighLevelClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asString)});
                    try {
                        SearchResponse search3 = restHighLevelClient2.search("pub_test_allow_because_from_token");
                        MatcherAssert.assertThat(Long.valueOf(search3.hits().total().value()), Matchers.equalTo(1L));
                        MatcherAssert.assertThat(((Map) ((Hit) search3.hits().hits().get(0)).source()).get("this_is"), Matchers.equalTo("allowed"));
                        ThrowableAssert.assertThatThrown(() -> {
                            restHighLevelClient2.search("pub_test_deny");
                        }, new Matcher[]{ExceptionsMatchers.messageContainsMatcher("Insufficient permissions")});
                        if (restHighLevelClient2 != null) {
                            restHighLevelClient2.close();
                        }
                        if (restClient != null) {
                            restClient.close();
                        }
                        if (start != null) {
                            start.close();
                        }
                    } catch (Throwable th) {
                        if (restHighLevelClient2 != null) {
                            try {
                                restHighLevelClient2.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                } catch (Throwable th3) {
                    if (restHighLevelClient != null) {
                        try {
                            restHighLevelClient.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            } finally {
            }
        } catch (Throwable th5) {
            if (start != null) {
                try {
                    start.close();
                } catch (Throwable th6) {
                    th5.addSuppressed(th6);
                }
            }
            throw th5;
        }
    }

    @Test
    public void sgAdminRestApiTest() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("admin", "admin", new Header[0]);
        try {
            CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("cluster_permissions: ['*']"));
            createAuthTokenRequest.setTokenName("rest_api_test_token");
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
            MatcherAssert.assertThat(postJson.getBody(), Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            String asString = postJson.getBodyAsDocNode().getAsString("token");
            MatcherAssert.assertThat(asString, Matchers.notNullValue());
            GenericRestClient.HttpResponse httpResponse = restClient.get("_searchguard/api/roles", new Header[0]);
            MatcherAssert.assertThat(httpResponse.getBody(), Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(200));
            GenericRestClient restClient2 = cluster.getRestClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asString)});
            try {
                GenericRestClient.HttpResponse httpResponse2 = restClient.get("_searchguard/api/roles", new Header[0]);
                MatcherAssert.assertThat(httpResponse2.getBody(), Integer.valueOf(httpResponse2.getStatusCode()), Matchers.equalTo(200));
                if (restClient2 != null) {
                    restClient2.close();
                }
                if (restClient != null) {
                    restClient.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void sgAdminRestApiForbiddenTest() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("admin", "admin", new Header[0]);
        try {
            CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
            createAuthTokenRequest.setTokenName("rest_api_test_token");
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest);
            MatcherAssert.assertThat(postJson.getBody(), Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            String asString = postJson.getBodyAsDocNode().getAsString("token");
            MatcherAssert.assertThat(asString, Matchers.notNullValue());
            GenericRestClient.HttpResponse httpResponse = restClient.get("_searchguard/api/roles", new Header[0]);
            MatcherAssert.assertThat(httpResponse.getBody(), Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(200));
            GenericRestClient restClient2 = cluster.getRestClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asString)});
            try {
                GenericRestClient.HttpResponse httpResponse2 = restClient2.get("_searchguard/api/roles", new Header[0]);
                MatcherAssert.assertThat(httpResponse2.getBody(), Integer.valueOf(httpResponse2.getStatusCode()), Matchers.equalTo(403));
                if (restClient2 != null) {
                    restClient2.close();
                }
                if (restClient != null) {
                    restClient.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void sgAdminRestApiExclusionTest() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("admin", "admin", new Header[0]);
        try {
            CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("cluster_permissions: ['*']\nexclude_cluster_permissions: ['cluster:admin:searchguard:configrestapi']"));
            createAuthTokenRequest.setTokenName("rest_api_test_token");
            GenericRestClient.HttpResponse postJson = restClient.postJson("/_searchguard/authtoken", createAuthTokenRequest.toJson(), new Header[0]);
            MatcherAssert.assertThat(postJson.getBody(), Integer.valueOf(postJson.getStatusCode()), Matchers.equalTo(200));
            String asString = postJson.getBodyAsDocNode().getAsString("token");
            MatcherAssert.assertThat(asString, Matchers.notNullValue());
            GenericRestClient.HttpResponse httpResponse = restClient.get("_searchguard/api/roles", new Header[0]);
            MatcherAssert.assertThat(httpResponse.getBody(), Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(200));
            GenericRestClient restClient2 = cluster.getRestClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asString)});
            try {
                GenericRestClient.HttpResponse httpResponse2 = restClient2.get("_searchguard/api/roles", new Header[0]);
                MatcherAssert.assertThat(httpResponse2.getBody(), Integer.valueOf(httpResponse2.getStatusCode()), Matchers.equalTo(403));
                if (restClient2 != null) {
                    restClient2.close();
                }
                if (restClient != null) {
                    restClient.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void infoApiTest() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("admin", "admin", new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authtoken/_info", new Header[0]);
            MatcherAssert.assertThat(httpResponse.getBody(), Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(200));
            MatcherAssert.assertThat(httpResponse.getBody(), httpResponse.getBodyAsDocNode().get("enabled"), Matchers.equalTo(Boolean.TRUE));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void bulkConfigApi() throws Exception {
        DocNode of = DocNode.of("jwt_signing_key_hs512", com.floragunn.searchguard.enterprise.auth.oidc.TestJwk.OCT_1_K, "max_tokens_per_user", 100, "enabled", true);
        GenericRestClient adminCertRestClient = cluster.getAdminCertRestClient();
        try {
            GenericRestClient.HttpResponse putJson = adminCertRestClient.putJson("/_searchguard/config", DocNode.of("auth_token_service.content", of));
            MatcherAssert.assertThat(putJson.getBody(), Integer.valueOf(putJson.getStatusCode()), Matchers.equalTo(200));
            GenericRestClient.HttpResponse httpResponse = adminCertRestClient.get("/_searchguard/config", new Header[0]);
            MatcherAssert.assertThat(httpResponse.getBody(), Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(200));
            MatcherAssert.assertThat(httpResponse.getBodyAsDocNode().get("auth_token_service", new String[]{"content"}), Matchers.equalTo(of.toMap()));
            if (adminCertRestClient != null) {
                adminCertRestClient.close();
            }
        } catch (Throwable th) {
            if (adminCertRestClient != null) {
                try {
                    adminCertRestClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static String getJwtHeaderValue(String str, String str2) throws DocumentParseException {
        return DocNode.parse(Format.JSON).from(new String(BaseEncoding.base64Url().decode(str.substring(0, str.indexOf(46))))).getAsString(str2);
    }

    private static String getJwtPayload(String str) {
        int indexOf = str.indexOf(46);
        int indexOf2 = str.indexOf(46, indexOf + 1);
        return new String(BaseEncoding.base64Url().decode(str.substring(indexOf + 1, indexOf2 != -1 ? indexOf2 : str.length())));
    }

    private DocNode updateAuthTokenServiceConfig(DocNode docNode) throws Exception {
        GenericRestClient adminCertRestClient = cluster.getAdminCertRestClient();
        try {
            GenericRestClient.HttpResponse putJson = adminCertRestClient.putJson("/_searchguard/config", DocNode.of("auth_token_service.content", docNode));
            MatcherAssert.assertThat(putJson.getBody(), Integer.valueOf(putJson.getStatusCode()), Matchers.equalTo(200));
            GenericRestClient.HttpResponse httpResponse = adminCertRestClient.get("/_searchguard/config", new Header[0]);
            MatcherAssert.assertThat(httpResponse.getBody(), Integer.valueOf(httpResponse.getStatusCode()), Matchers.equalTo(200));
            MatcherAssert.assertThat(httpResponse.getBodyAsDocNode().get("auth_token_service", new String[]{"content"}), Matchers.equalTo(docNode.toMap()));
            DocNode findSingleNodeByJsonPath = httpResponse.getBodyAsDocNode().findSingleNodeByJsonPath("auth_token_service.content");
            if (adminCertRestClient != null) {
                adminCertRestClient.close();
            }
            return findSingleNodeByJsonPath;
        } catch (Throwable th) {
            if (adminCertRestClient != null) {
                try {
                    adminCertRestClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
