package com.floragunn.searchguard.authz;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.Format;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.SearchGuardModulesRegistry;
import com.floragunn.searchguard.authz.PrivilegesEvaluationResult;
import com.floragunn.searchguard.authz.actions.Action;
import com.floragunn.searchguard.authz.actions.ActionRequestIntrospector;
import com.floragunn.searchguard.authz.actions.Actions;
import com.floragunn.searchguard.authz.config.ActionGroup;
import com.floragunn.searchguard.configuration.CType;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext;
import com.floragunn.searchguard.user.User;
import java.util.Arrays;
import java.util.Set;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorizationTests.class */
public class RoleBasedActionAuthorizationTests {
    private static final Actions actions = new Actions((SearchGuardModulesRegistry) null);

    @Test
    public void clusterAction_wellKnown() throws Exception {
        Action action = actions.get("cluster:monitor/nodes/stats");
        Action action2 = actions.get("cluster:monitor/nodes/usage");
        Assert.assertTrue(action.toString(), action instanceof Action.WellKnownAction);
        RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.of("test_role", DocNode.of("cluster_permissions", Arrays.asList("cluster:monitor/nodes/stats*"))), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, actions, (Set) null, ImmutableSet.empty());
        User build = User.forUser("test").build();
        Assert.assertTrue(roleBasedActionAuthorization.hasClusterPermission(ctx(build, "test_role"), action).isOk());
        Assert.assertFalse(roleBasedActionAuthorization.hasClusterPermission(ctx(build, "other_role"), action).isOk());
        Assert.assertFalse(roleBasedActionAuthorization.hasClusterPermission(ctx(build, "test_role"), action2).isOk());
    }

    @Test
    public void clusterAction_notWellKnown() throws Exception {
        Action action = actions.get("cluster:monitor/nodes/stats/somethingnotwellknown");
        Action action2 = actions.get("cluster:monitor/nodes/usage/somethingnotwellknown");
        Assert.assertFalse(action.toString(), action instanceof Action.WellKnownAction);
        RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.of("test_role", DocNode.of("cluster_permissions", Arrays.asList("cluster:monitor/nodes/stats*"))), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, actions, (Set) null, ImmutableSet.empty());
        User build = User.forUser("test").build();
        Assert.assertTrue(roleBasedActionAuthorization.hasClusterPermission(ctx(build, "test_role"), action).isOk());
        Assert.assertFalse(roleBasedActionAuthorization.hasClusterPermission(ctx(build, "other_role"), action).isOk());
        Assert.assertFalse(roleBasedActionAuthorization.hasClusterPermission(ctx(build, "test_role"), action2).isOk());
    }

    @Test
    public void clusterAction_exclusion() throws Exception {
        Action action = actions.get("cluster:monitor/nodes/stats");
        Action action2 = actions.get("cluster:monitor/nodes/usage");
        Action action3 = actions.get("cluster:monitor/nodes/stats/not_well_known");
        Assert.assertTrue(action.toString(), action instanceof Action.WellKnownAction);
        Assert.assertTrue(action2.toString(), action2 instanceof Action.WellKnownAction);
        Assert.assertFalse(action3.toString(), action3 instanceof Action.WellKnownAction);
        RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role1:\n  cluster_permissions:\n  - 'cluster:monitor/*'\n  exclude_cluster_permissions:\n  - 'cluster:monitor/nodes/stats*'\n"), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, actions, (Set) null, ImmutableSet.empty());
        User build = User.forUser("test").build();
        Assert.assertTrue(roleBasedActionAuthorization.hasClusterPermission(ctx(build, "test_role1"), action2).isOk());
        Assert.assertFalse(roleBasedActionAuthorization.hasClusterPermission(ctx(build, "test_role1"), action).isOk());
        Assert.assertFalse(roleBasedActionAuthorization.hasClusterPermission(ctx(build, "test_role1"), action3).isOk());
    }

    @Test
    public void indexAction_wellKnown_constantAction_constantIndex() throws Exception {
        Action action = actions.get("indices:data/write/index");
        Action action2 = actions.get("indices:data/write/delete");
        Assert.assertTrue(action.toString(), action instanceof Action.WellKnownAction);
        RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role:\n  index_permissions:\n  - index_patterns: ['index_constant_a']\n    allowed_actions: ['indices:data/write/index']"), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, actions, (Set) null, ImmutableSet.empty());
        User build = User.forUser("test").build();
        ActionRequestIntrospector.ResolvedIndices localIndices = ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_constant_a"});
        PrivilegesEvaluationResult hasIndexPermission = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission2 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_constant_a", "index_constant_b"}));
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getAvailableIndices().equals(ImmutableSet.of("index_constant_a")));
        PrivilegesEvaluationResult hasIndexPermission3 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "other_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        PrivilegesEvaluationResult hasIndexPermission4 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action2), localIndices);
        Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
    }

    @Test
    public void indexAction_wellKnown_constantAction_indexPattern() throws Exception {
        Action action = actions.get("indices:data/write/index");
        Action action2 = actions.get("indices:data/write/delete");
        Assert.assertTrue(action.toString(), action instanceof Action.WellKnownAction);
        RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role:\n  index_permissions:\n  - index_patterns: ['index_constant_a*']\n    allowed_actions: ['indices:data/write/index']"), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, actions, (Set) null, ImmutableSet.empty());
        User build = User.forUser("test").build();
        ActionRequestIntrospector.ResolvedIndices localIndices = ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_constant_a1", "index_constant_a2"});
        PrivilegesEvaluationResult hasIndexPermission = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission2 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_constant_a1", "index_constant_a2", "index_constant_b"}));
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getAvailableIndices().equals(ImmutableSet.of("index_constant_a1", "index_constant_a2")));
        PrivilegesEvaluationResult hasIndexPermission3 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "other_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        PrivilegesEvaluationResult hasIndexPermission4 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action2), localIndices);
        Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
    }

    @Test
    public void indexAction_wellKnown_constantAction_indexTemplate() throws Exception {
        Action action = actions.get("indices:data/write/index");
        Action action2 = actions.get("indices:data/write/delete");
        Assert.assertTrue(action.toString(), action instanceof Action.WellKnownAction);
        RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role:\n  index_permissions:\n  - index_patterns: ['index_${user.attrs.dept_no}']\n    allowed_actions: ['indices:data/write/index']"), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, actions, (Set) null, ImmutableSet.empty());
        User build = User.forUser("test").attribute("dept_no", "a").build();
        PrivilegesEvaluationResult hasIndexPermission = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a"}));
        Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission2 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a", "index_b"}));
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getAvailableIndices().equals(ImmutableSet.of("index_a")));
        PrivilegesEvaluationResult hasIndexPermission3 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "other_role"), ImmutableSet.of(action), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a"}));
        Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        PrivilegesEvaluationResult hasIndexPermission4 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action2), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a"}));
        Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        PrivilegesEvaluationResult hasIndexPermission5 = roleBasedActionAuthorization.hasIndexPermission(ctx(User.forUser("no_attributes").build(), "test_role"), ImmutableSet.of(action), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a"}));
        Assert.assertTrue(hasIndexPermission5.toString(), hasIndexPermission5.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        Assert.assertTrue(hasIndexPermission5.toString(), hasIndexPermission5.getErrors().toString().contains("No value for ${user.attrs.dept_no}"));
    }

    @Test
    public void indexAction_wellKnown_constantAction_indexPattern_statefulIndices() throws Exception {
        Action action = actions.get("indices:data/write/index");
        Action action2 = actions.get("indices:data/write/delete");
        Assert.assertTrue(action.toString(), action instanceof Action.WellKnownAction);
        RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role:\n  index_permissions:\n  - index_patterns: ['index_constant_a*']\n    allowed_actions: ['indices:data/write/index']"), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, actions, ImmutableSet.of("index_constant_a1", "index_constant_b"), ImmutableSet.empty());
        User build = User.forUser("test").build();
        ActionRequestIntrospector.ResolvedIndices localIndices = ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_constant_a1", "index_constant_a2"});
        PrivilegesEvaluationResult hasIndexPermission = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission2 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_constant_a1", "index_constant_a2", "index_constant_b"}));
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getAvailableIndices().equals(ImmutableSet.of("index_constant_a1", "index_constant_a2")));
        PrivilegesEvaluationResult hasIndexPermission3 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "other_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        PrivilegesEvaluationResult hasIndexPermission4 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action2), localIndices);
        Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
    }

    @Test
    public void indexAction_notWellKnown_constantAction_indexPattern() throws Exception {
        Action action = actions.get("indices:data/write/index/notwellknown");
        Action action2 = actions.get("indices:data/write/delete/notwellknown");
        Assert.assertTrue(action.toString(), !(action instanceof Action.WellKnownAction));
        RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role:\n  index_permissions:\n  - index_patterns: ['index_constant_a*']\n    allowed_actions: ['indices:data/write/index/notwellknown']"), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, actions, (Set) null, ImmutableSet.empty());
        User build = User.forUser("test").build();
        ActionRequestIntrospector.ResolvedIndices localIndices = ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_constant_a1", "index_constant_a2"});
        PrivilegesEvaluationResult hasIndexPermission = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission2 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_constant_a1", "index_constant_a2", "index_constant_b"}));
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getAvailableIndices().equals(ImmutableSet.of("index_constant_a1", "index_constant_a2")));
        PrivilegesEvaluationResult hasIndexPermission3 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "other_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        PrivilegesEvaluationResult hasIndexPermission4 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action2), localIndices);
        Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
    }

    @Test
    public void indexAction_notWellKnown_actionPattern_indexPattern() throws Exception {
        Action action = actions.get("indices:data/write/index/notwellknown");
        Action action2 = actions.get("indices:data/write/delete/notwellknown");
        Assert.assertTrue(action.toString(), !(action instanceof Action.WellKnownAction));
        RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role:\n  index_permissions:\n  - index_patterns: ['index_constant_a*']\n    allowed_actions: ['indices:data/write/index/*']"), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, actions, (Set) null, ImmutableSet.empty());
        User build = User.forUser("test").build();
        ActionRequestIntrospector.ResolvedIndices localIndices = ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_constant_a1", "index_constant_a2"});
        PrivilegesEvaluationResult hasIndexPermission = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission2 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_constant_a1", "index_constant_a2", "index_constant_b"}));
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getAvailableIndices().equals(ImmutableSet.of("index_constant_a1", "index_constant_a2")));
        PrivilegesEvaluationResult hasIndexPermission3 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "other_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        PrivilegesEvaluationResult hasIndexPermission4 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action2), localIndices);
        Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
    }

    @Test
    public void indexAction_actionPattern_constantIndex() throws Exception {
        Action action = actions.get("indices:data/write/index");
        Action action2 = actions.get("indices:data/write/index/notWellKnown");
        Action action3 = actions.get("indices:data/write/delete");
        Assert.assertTrue(action.toString(), action instanceof Action.WellKnownAction);
        RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role:\n  index_permissions:\n  - index_patterns: ['index_constant_a']\n    allowed_actions: ['indices:data/write/index*']"), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, actions, (Set) null, ImmutableSet.empty());
        User build = User.forUser("test").build();
        ActionRequestIntrospector.ResolvedIndices localIndices = ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_constant_a"});
        PrivilegesEvaluationResult hasIndexPermission = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission2 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action2), localIndices);
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission3 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_constant_a", "index_constant_b"}));
        Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
        Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getAvailableIndices().equals(ImmutableSet.of("index_constant_a")));
        PrivilegesEvaluationResult hasIndexPermission4 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action2), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_constant_a", "index_constant_b"}));
        Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
        Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getAvailableIndices().equals(ImmutableSet.of("index_constant_a")));
        PrivilegesEvaluationResult hasIndexPermission5 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "other_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission5.toString(), hasIndexPermission5.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        PrivilegesEvaluationResult hasIndexPermission6 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action3), localIndices);
        Assert.assertTrue(hasIndexPermission6.toString(), hasIndexPermission6.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
    }

    @Test
    public void indexAction_actionPattern_indexPattern() throws Exception {
        Action action = actions.get("indices:data/write/index");
        Action action2 = actions.get("indices:data/write/index/notWellKnown");
        Action action3 = actions.get("indices:data/write/delete");
        Assert.assertTrue(action.toString(), action instanceof Action.WellKnownAction);
        RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role:\n  index_permissions:\n  - index_patterns: ['index_a*']\n    allowed_actions: ['indices:data/write/index*']"), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, actions, (Set) null, ImmutableSet.empty());
        User build = User.forUser("test").build();
        ActionRequestIntrospector.ResolvedIndices localIndices = ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a1", "index_a2"});
        PrivilegesEvaluationResult hasIndexPermission = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission2 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action2), localIndices);
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission3 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a", "index_b"}));
        Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
        Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getAvailableIndices().equals(ImmutableSet.of("index_a")));
        PrivilegesEvaluationResult hasIndexPermission4 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action2), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a", "index_b"}));
        Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
        Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getAvailableIndices().equals(ImmutableSet.of("index_a")));
        PrivilegesEvaluationResult hasIndexPermission5 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "other_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission5.toString(), hasIndexPermission5.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        PrivilegesEvaluationResult hasIndexPermission6 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action3), localIndices);
        Assert.assertTrue(hasIndexPermission6.toString(), hasIndexPermission6.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
    }

    @Test
    public void indexAction_actionPattern_indexPattern_statefulIndices() throws Exception {
        Action action = actions.get("indices:data/write/index");
        Action action2 = actions.get("indices:data/write/index/notWellKnown");
        Action action3 = actions.get("indices:data/write/delete");
        Assert.assertTrue(action.toString(), action instanceof Action.WellKnownAction);
        RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role:\n  index_permissions:\n  - index_patterns: ['index_a*']\n    allowed_actions: ['indices:data/write/index*']"), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, actions, ImmutableSet.of("index_a1", "index_b"), ImmutableSet.empty());
        User build = User.forUser("test").build();
        ActionRequestIntrospector.ResolvedIndices localIndices = ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a1", "index_a2"});
        PrivilegesEvaluationResult hasIndexPermission = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission2 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action2), localIndices);
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission3 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a", "index_b"}));
        Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
        Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getAvailableIndices().equals(ImmutableSet.of("index_a")));
        PrivilegesEvaluationResult hasIndexPermission4 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action2), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a", "index_b"}));
        Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
        Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getAvailableIndices().equals(ImmutableSet.of("index_a")));
        PrivilegesEvaluationResult hasIndexPermission5 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "other_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission5.toString(), hasIndexPermission5.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        PrivilegesEvaluationResult hasIndexPermission6 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action3), localIndices);
        Assert.assertTrue(hasIndexPermission6.toString(), hasIndexPermission6.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
    }

    @Test
    public void indexAction_actionPattern_indexWildcard() throws Exception {
        Action action = actions.get("indices:data/write/index");
        Action action2 = actions.get("indices:data/write/index/notWellKnown");
        Action action3 = actions.get("indices:data/write/delete");
        Assert.assertTrue(action.toString(), action instanceof Action.WellKnownAction);
        RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role:\n  index_permissions:\n  - index_patterns: ['*']\n    allowed_actions: ['indices:data/write/index*']"), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, actions, (Set) null, ImmutableSet.empty());
        User build = User.forUser("test").build();
        ActionRequestIntrospector.ResolvedIndices localIndices = ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a1", "index_a2"});
        PrivilegesEvaluationResult hasIndexPermission = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission2 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action2), localIndices);
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission3 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a", "index_b"}));
        Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission4 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action2), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a", "index_b"}));
        Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission5 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "other_role"), ImmutableSet.of(action), localIndices);
        Assert.assertTrue(hasIndexPermission5.toString(), hasIndexPermission5.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        PrivilegesEvaluationResult hasIndexPermission6 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role"), ImmutableSet.of(action3), localIndices);
        Assert.assertTrue(hasIndexPermission6.toString(), hasIndexPermission6.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
    }

    @Test
    public void indexAction_twoRequiredPrivileges_actionPattern_indexPattern() throws Exception {
        Action action = actions.get("indices:data/write/index");
        Action action2 = actions.get("indices:data/write/index/notWellKnown");
        Assert.assertTrue(action.toString(), action instanceof Action.WellKnownAction);
        RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role1:\n  index_permissions:\n  - index_patterns: ['index_a*']\n    allowed_actions: ['indices:data/write/index']\ntest_role2:\n  index_permissions:\n  - index_patterns: ['index_a1']\n    allowed_actions: ['indices:data/write/index/notWell*']\ntest_role3:\n  index_permissions:\n  - index_patterns: ['index_a2']\n    allowed_actions: ['indices:data/write/index/notWell*']\n"), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, actions, (Set) null, ImmutableSet.empty());
        User build = User.forUser("test").build();
        PrivilegesEvaluationResult hasIndexPermission = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role1", "test_role2", "test_role3"), ImmutableSet.of(action, action2), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a1", "index_a2"}));
        Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
        PrivilegesEvaluationResult hasIndexPermission2 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role1", "test_role2", "test_role3"), ImmutableSet.of(action, action2), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a1", "index_a2", "index_b"}));
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
        Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getAvailableIndices().equals(ImmutableSet.of("index_a1", "index_a2")));
        PrivilegesEvaluationResult hasIndexPermission3 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role1", "test_role2"), ImmutableSet.of(action, action2), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a1", "index_a2", "index_b"}));
        Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
        Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getAvailableIndices().equals(ImmutableSet.of("index_a1")));
        PrivilegesEvaluationResult hasIndexPermission4 = roleBasedActionAuthorization.hasIndexPermission(ctx(build, "test_role2", "test_role3"), ImmutableSet.of(action, action2), ActionRequestIntrospector.ResolvedIndices.empty().localIndices(new String[]{"index_a1", "index_a2"}));
        Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
    }

    private static PrivilegesEvaluationContext ctx(User user, String... strArr) {
        return new PrivilegesEvaluationContext(user, ImmutableSet.ofArray(strArr), (Action) null, strArr, true, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
    }
}
