package com.floragunn.searchguard.authc;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import java.net.InetAddress;
import java.util.Arrays;
import java.util.Collection;
import org.apache.http.Header;
import org.apache.http.message.BasicHeader;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.client.Client;
import org.elasticsearch.client.RequestOptions;
import org.elasticsearch.client.RestHighLevelClient;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.search.builder.SearchSourceBuilder;
import org.elasticsearch.xcontent.XContentType;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/authc/RestAuthenticationIntegrationTests.class */
public class RestAuthenticationIntegrationTests {
    static TestSgConfig.Role INDEX_PATTERN_WITH_ATTR = new TestSgConfig.Role("sg_index_pattern_with_attr_role").clusterPermissions("SGS_CLUSTER_COMPOSITE_OPS_RO").indexPermissions("SGS_CRUD").on("/attr_test_${user.attrs.pattern|toRegexFragment}/");
    static TestSgConfig.User ALL_ACCESS = new TestSgConfig.User("all_access").roles(TestSgConfig.Role.ALL_ACCESS);
    static TestSgConfig.User USER_WITH_ATTRIBUTES = new TestSgConfig.User("user_with_attributes").roles(INDEX_PATTERN_WITH_ATTR).attr("a", 1).attr("b", 2).attr("c", Arrays.asList(3, 4, 5)).attr("d", "a");
    static TestSgConfig.User USER_WITH_ATTRIBUTES2 = new TestSgConfig.User("user_with_attributes2").roles(INDEX_PATTERN_WITH_ATTR).attr("a", 1).attr("b", 2).attr("c", Arrays.asList(3, 4, 5)).attr("d", Arrays.asList("a", "b", "c"));
    static TestSgConfig.User SUBJECT_PATTERN_USER_TEST = new TestSgConfig.User("subject_pattern_user").roles(INDEX_PATTERN_WITH_ATTR).attr("a", 1).attr("b", 2).attr("c", Arrays.asList(3, 4, 5)).attr("d", Arrays.asList("a", "c"));
    static TestSgConfig.User SKIP_TEST_USER = new TestSgConfig.User("skip_test_user").roles("skip_test_user_from_internal_users_db");
    static TestSgConfig.User ADDITIONAL_USER_INFORMATION_USER = new TestSgConfig.User("additional_user_information").roles("additional_user_information_role").attr("additional", ImmutableMap.of("a", 1, "b", 2));
    static TestSgConfig.Authc AUTHC = new TestSgConfig.Authc(new TestSgConfig.Authc.Domain("basic/internal_users_db").skipUsers("skip_test_*").skipIps("127.0.0.16/30").userMapping(new TestSgConfig.Authc.Domain.UserMapping().userNameFrom(DocNode.of("json_path", "credentials.user_name", "pattern", "(all_access)|(user_.*)|(.+)@(?:subject_pattern_domain)")).attrsFrom("pattern", "user_entry.attributes.d")), new TestSgConfig.Authc.Domain("trusted_origin").skipUsers("skip_test_*").skipIps("127.0.0.16/30", "127.0.0.14").userMapping(new TestSgConfig.Authc.Domain.UserMapping().userNameFrom("request.headers.x-proxy-user").rolesFrom("request.headers.x-proxy-roles").rolesFrom(DocNode.of("json_path", "request.headers.x-proxy-roles-comma-separated", "split", ","))), new TestSgConfig.Authc.Domain("trusted_origin").id("trusted_origin_with_additional_user_information").skipUsers("skip_test_*").acceptIps("127.0.0.14").additionalUserInformation(new TestSgConfig.Authc.Domain.AdditionalUserInformation("internal_users_db")).userMapping(new TestSgConfig.Authc.Domain.UserMapping().userNameFrom("request.headers.x-proxy-user").rolesFrom("request.headers.x-proxy-roles").attrsFrom("from_user_entry", "user_entry")), new TestSgConfig.Authc.Domain("basic").acceptUsers("skip_test_*").skipUsers("skip_test_skip").skipIps("127.0.0.16/30").userMapping(new TestSgConfig.Authc.Domain.UserMapping().rolesStatic("skip_test_user_role_from_accept_users_auth_domain")), new TestSgConfig.Authc.Domain("basic").acceptUsers("skip_test_*").skipUsers("skip_test_skip").acceptIps("127.0.0.16/30").userMapping(new TestSgConfig.Authc.Domain.UserMapping().rolesStatic("skip_test_user_role_from_accept_ips_auth_domain")), new TestSgConfig.Authc.Domain("anonymous").acceptIps("127.0.0.33").userMapping(new TestSgConfig.Authc.Domain.UserMapping().rolesStatic("anon_role")), new TestSgConfig.Authc.Domain("anonymous").acceptIps("127.0.0.34").userMapping(new TestSgConfig.Authc.Domain.UserMapping().userNameStatic("nobody").rolesStatic("anon_role"))).trustedProxies("127.0.0.12/30");

    @ClassRule
    public static LocalCluster cluster = new LocalCluster.Builder().singleNode().sslEnabled().users(ALL_ACCESS, USER_WITH_ATTRIBUTES, USER_WITH_ATTRIBUTES2, SUBJECT_PATTERN_USER_TEST, ADDITIONAL_USER_INFORMATION_USER).authc(AUTHC).build();

    @BeforeClass
    public static void initTestData() {
        Client internalNodeClient = cluster.getInternalNodeClient();
        try {
            internalNodeClient.index(new IndexRequest("attr_test_a").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"filter_attr\": \"a\", \"amount\": 1010}", XContentType.JSON)).actionGet();
            internalNodeClient.index(new IndexRequest("attr_test_b").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"filter_attr\": \"b\", \"amount\": 2020}", XContentType.JSON)).actionGet();
            internalNodeClient.index(new IndexRequest("attr_test_c").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"filter_attr\": \"c\", \"amount\": 3030}", XContentType.JSON)).actionGet();
            internalNodeClient.index(new IndexRequest("attr_test_d").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"filter_attr\": \"d\", \"amount\": 4040}", XContentType.JSON)).actionGet();
            internalNodeClient.index(new IndexRequest("attr_test_e").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"filter_attr\": \"e\", \"amount\": 5050}", XContentType.JSON)).actionGet();
            if (internalNodeClient != null) {
                internalNodeClient.close();
            }
        } catch (Throwable th) {
            if (internalNodeClient != null) {
                try {
                    internalNodeClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void userAttribute_indexPattern_integration() throws Exception {
        RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient(ALL_ACCESS);
        try {
            Assert.assertEquals(5L, restHighLevelClient.search(new SearchRequest(new String[]{"attr_test_*"}).source(new SearchSourceBuilder().size(100).query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT).getHits().getTotalHits().value);
            if (restHighLevelClient != null) {
                restHighLevelClient.close();
            }
            RestHighLevelClient restHighLevelClient2 = cluster.getRestHighLevelClient(USER_WITH_ATTRIBUTES);
            try {
                Assert.assertEquals(1L, restHighLevelClient2.search(new SearchRequest(new String[]{"attr_test_*"}).source(new SearchSourceBuilder().size(100).query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT).getHits().getTotalHits().value);
                if (restHighLevelClient2 != null) {
                    restHighLevelClient2.close();
                }
                restHighLevelClient2 = cluster.getRestHighLevelClient(USER_WITH_ATTRIBUTES2);
                try {
                    Assert.assertEquals(3L, restHighLevelClient2.search(new SearchRequest(new String[]{"attr_test_*"}).source(new SearchSourceBuilder().size(100).query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT).getHits().getTotalHits().value);
                    if (restHighLevelClient2 != null) {
                        restHighLevelClient2.close();
                    }
                } finally {
                }
            } finally {
            }
        } finally {
            if (restHighLevelClient != null) {
                try {
                    restHighLevelClient.close();
                } catch (Throwable th) {
                    th.addSuppressed(th);
                }
            }
        }
    }

    @Test
    public void username_pattern_integration() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("subject_pattern_user@subject_pattern_domain", SUBJECT_PATTERN_USER_TEST.getPassword(), new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authinfo", new Header[0]);
            Assert.assertEquals(httpResponse.getBody(), 200L, httpResponse.getStatusCode());
            Assert.assertEquals(httpResponse.getBody(), "subject_pattern_user", httpResponse.getBodyAsDocNode().get("user_name"));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void trustedOrigin_roles_integration() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(new Header[0]);
        try {
            restClient.setLocalAddress(InetAddress.getByAddress(new byte[]{Byte.MAX_VALUE, 0, 0, 1}));
            Assert.assertEquals(restClient.get("/_searchguard/authinfo", new BasicHeader("x-proxy-user", "proxy_test_user"), new BasicHeader("x-proxy-roles", "proxy_role1,proxy_role2")).getBody(), 401L, r0.getStatusCode());
            restClient.setLocalAddress(InetAddress.getByAddress(new byte[]{Byte.MAX_VALUE, 0, 0, 13}));
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authinfo", new BasicHeader("x-proxy-user", "proxy_test_user"), new BasicHeader("x-proxy-roles", "proxy_role1,proxy_role2"));
            Assert.assertEquals(httpResponse.getBody(), 200L, httpResponse.getStatusCode());
            Assert.assertEquals(httpResponse.getBody(), "proxy_test_user", httpResponse.getBodyAsDocNode().get("user_name"));
            Assert.assertEquals(httpResponse.getBody(), Arrays.asList("proxy_role1,proxy_role2"), httpResponse.getBodyAsDocNode().get("backend_roles"));
            GenericRestClient.HttpResponse httpResponse2 = restClient.get("/_searchguard/authinfo", new BasicHeader("x-proxy-user", "proxy_test_user"), new BasicHeader("x-proxy-roles", "proxy_role1"), new BasicHeader("x-proxy-roles", "proxy_role2"));
            Assert.assertEquals(httpResponse2.getBody(), 200L, httpResponse2.getStatusCode());
            Assert.assertEquals(httpResponse2.getBody(), Arrays.asList("proxy_role1", "proxy_role2"), httpResponse2.getBodyAsDocNode().get("backend_roles"));
            GenericRestClient.HttpResponse httpResponse3 = restClient.get("/_searchguard/authinfo", new BasicHeader("x-proxy-user", "proxy_test_user"), new BasicHeader("x-proxy-roles-comma-separated", "proxy_role1,proxy_role2"), new BasicHeader("x-proxy-roles", "proxy_role3"));
            Assert.assertEquals(httpResponse3.getBody(), 200L, httpResponse3.getStatusCode());
            Assert.assertEquals(httpResponse3.getBody(), ImmutableSet.of("proxy_role1", new String[]{"proxy_role2", "proxy_role3"}), ImmutableSet.of((Collection) httpResponse3.getBodyAsDocNode().get("backend_roles")));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void trustedOrigin_additionalUserInformation_integration() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(new BasicHeader("x-proxy-user", ADDITIONAL_USER_INFORMATION_USER.getName()), new BasicHeader("x-proxy-roles", "proxy_role1"), new BasicHeader("x-proxy-roles", "proxy_role2"));
        try {
            restClient.setLocalAddress(InetAddress.getByAddress(new byte[]{Byte.MAX_VALUE, 0, 0, 1}));
            Assert.assertEquals(restClient.get("/_searchguard/authinfo", new Header[0]).getBody(), 401L, r0.getStatusCode());
            restClient.setLocalAddress(InetAddress.getByAddress(new byte[]{Byte.MAX_VALUE, 0, 0, 14}));
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authinfo", new Header[0]);
            Assert.assertEquals(httpResponse.getBody(), 200L, httpResponse.getStatusCode());
            Assert.assertEquals(httpResponse.getBody(), ADDITIONAL_USER_INFORMATION_USER.getName(), httpResponse.getBodyAsDocNode().get("user_name"));
            Assert.assertEquals(httpResponse.getBody(), Arrays.asList("proxy_role1", "proxy_role2"), httpResponse.getBodyAsDocNode().get("backend_roles"));
            Assert.assertEquals(httpResponse.getBody(), Arrays.asList("additional_user_information_role"), httpResponse.getBodyAsDocNode().get("sg_roles"));
            Assert.assertEquals(httpResponse.getBody(), Arrays.asList("from_user_entry"), httpResponse.getBodyAsDocNode().get("attribute_names"));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void skipUser_integration() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(SKIP_TEST_USER, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authinfo", new Header[0]);
            Assert.assertEquals(httpResponse.getBody(), 200L, httpResponse.getStatusCode());
            Assert.assertEquals(httpResponse.getBody(), "skip_test_user", httpResponse.getBodyAsDocNode().get("user_name"));
            Assert.assertEquals(httpResponse.getBody(), Arrays.asList("skip_test_user_role_from_accept_users_auth_domain"), httpResponse.getBodyAsDocNode().get("backend_roles"));
            if (restClient != null) {
                restClient.close();
            }
            GenericRestClient restClient2 = cluster.getRestClient("skip_test_skip", "password", new Header[0]);
            try {
                Assert.assertEquals(restClient2.get("/_searchguard/authinfo", new Header[0]).getBody(), 401L, r0.getStatusCode());
                if (restClient2 != null) {
                    restClient2.close();
                }
            } catch (Throwable th) {
                if (restClient2 != null) {
                    try {
                        restClient2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (Throwable th3) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    @Test
    public void skipIp_integration() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(SKIP_TEST_USER, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authinfo", new Header[0]);
            Assert.assertEquals(httpResponse.getBody(), 200L, httpResponse.getStatusCode());
            Assert.assertEquals(httpResponse.getBody(), "skip_test_user", httpResponse.getBodyAsDocNode().get("user_name"));
            Assert.assertEquals(httpResponse.getBody(), Arrays.asList("skip_test_user_role_from_accept_users_auth_domain"), httpResponse.getBodyAsDocNode().get("backend_roles"));
            restClient.setLocalAddress(InetAddress.getByAddress(new byte[]{Byte.MAX_VALUE, 0, 0, 17}));
            GenericRestClient.HttpResponse httpResponse2 = restClient.get("/_searchguard/authinfo", new Header[0]);
            Assert.assertEquals(httpResponse2.getBody(), 200L, httpResponse2.getStatusCode());
            Assert.assertEquals(httpResponse2.getBody(), "skip_test_user", httpResponse2.getBodyAsDocNode().get("user_name"));
            Assert.assertEquals(httpResponse2.getBody(), Arrays.asList("skip_test_user_role_from_accept_ips_auth_domain"), httpResponse2.getBodyAsDocNode().get("backend_roles"));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void anonymousAuth() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(new Header[0]);
        try {
            restClient.setLocalAddress(InetAddress.getByAddress(new byte[]{Byte.MAX_VALUE, 0, 0, 1}));
            Assert.assertEquals(restClient.get("/_searchguard/authinfo", new Header[0]).getBody(), 401L, r0.getStatusCode());
            restClient.setLocalAddress(InetAddress.getByAddress(new byte[]{Byte.MAX_VALUE, 0, 0, 33}));
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authinfo", new Header[0]);
            Assert.assertEquals(httpResponse.getBody(), 200L, httpResponse.getStatusCode());
            Assert.assertEquals(httpResponse.getBody(), "anonymous", httpResponse.getBodyAsDocNode().get("user_name"));
            Assert.assertEquals(httpResponse.getBody(), Arrays.asList("anon_role"), httpResponse.getBodyAsDocNode().get("backend_roles"));
            restClient.setLocalAddress(InetAddress.getByAddress(new byte[]{Byte.MAX_VALUE, 0, 0, 34}));
            GenericRestClient.HttpResponse httpResponse2 = restClient.get("/_searchguard/authinfo", new Header[0]);
            Assert.assertEquals(httpResponse2.getBody(), 200L, httpResponse2.getStatusCode());
            Assert.assertEquals(httpResponse2.getBody(), "nobody", httpResponse2.getBodyAsDocNode().get("user_name"));
            Assert.assertEquals(httpResponse2.getBody(), Arrays.asList("anon_role"), httpResponse2.getBodyAsDocNode().get("backend_roles"));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void challenge() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authinfo", new Header[0]);
            Assert.assertEquals(httpResponse.getBody(), 401L, httpResponse.getStatusCode());
            Assert.assertEquals(httpResponse.getHeaders().toString(), "Basic realm=\"Search Guard\"", httpResponse.getHeaderValue("WWW-Authenticate"));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void authDomainInfo() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(ALL_ACCESS, new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/authinfo", new Header[0]);
            Assert.assertTrue(httpResponse.getBody(), httpResponse.toJsonNode().path("user").asText().startsWith("User all_access <basic/internal_users_db>"));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
