package com.floragunn.searchguard.authz.int_tests;

import co.elastic.clients.elasticsearch._types.ElasticsearchException;
import co.elastic.clients.elasticsearch.indices.ShrinkResponse;
import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.Document;
import com.floragunn.searchguard.client.RestHighLevelClient;
import com.floragunn.searchguard.configuration.CType;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.RestMatchers;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.certificate.TestCertificates;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.floragunn.searchsupport.junit.ThrowableAssert;
import com.floragunn.searchsupport.junit.matcher.DocNodeMatchers;
import com.floragunn.searchsupport.junit.matcher.ExceptionsMatchers;
import com.google.common.collect.ImmutableMap;
import org.apache.http.Header;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.get.GetIndexRequest;
import org.elasticsearch.action.admin.indices.get.GetIndexResponse;
import org.elasticsearch.action.admin.indices.settings.put.UpdateSettingsRequest;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.xcontent.XContentType;
import org.hamcrest.Matcher;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/authz/int_tests/MiscAuthorizationIntTests.class */
public class MiscAuthorizationIntTests {
    private static TestSgConfig.User RESIZE_USER_WITHOUT_CREATE_INDEX_PRIV = new TestSgConfig.User("resize_user_without_create_index_priv").roles(new TestSgConfig.Role("resize_role").clusterPermissions("*").indexPermissions("indices:admin/resize", "indices:monitor/stats").on("resize_test_source"));
    private static TestSgConfig.User RESIZE_USER = new TestSgConfig.User("resize_user").roles(new TestSgConfig.Role("resize_role").clusterPermissions("*").indexPermissions("indices:admin/resize", "indices:monitor/stats").on("resize_test_source").indexPermissions("SGS_CREATE_INDEX").on("resize_test_target"));
    private static TestSgConfig.User SEARCH_TEMPLATE_USER = new TestSgConfig.User("search_template_user").roles(new TestSgConfig.Role("search_template_role").clusterPermissions("SGS_CLUSTER_COMPOSITE_OPS", "SGS_SEARCH_TEMPLATES").indexPermissions("SGS_READ").on("resolve_test_*"));
    private static TestSgConfig.User SEARCH_NO_TEMPLATE_USER = new TestSgConfig.User("search_no_template_user").roles(new TestSgConfig.Role("search_no_template_role").clusterPermissions("SGS_CLUSTER_COMPOSITE_OPS").indexPermissions("SGS_READ").on("resolve_test_*"));
    private static TestSgConfig.User NEG_LOOKAHEAD_USER = new TestSgConfig.User("neg_lookahead_user").roles(new TestSgConfig.Role("neg_lookahead_user_role").clusterPermissions("SGS_CLUSTER_COMPOSITE_OPS").indexPermissions("SGS_READ").on("/^(?!t.*).*/"));
    private static TestSgConfig.User REGEX_USER = new TestSgConfig.User("regex_user").roles(new TestSgConfig.Role("regex_user_role").clusterPermissions("SGS_CLUSTER_COMPOSITE_OPS").indexPermissions("SGS_READ").on("/[^a-z].*/"));
    private static TestSgConfig.User SEARCH_TEMPLATE_LEGACY_USER = new TestSgConfig.User("search_template_legacy_user").roles(new TestSgConfig.Role("search_template_legacy_role").clusterPermissions("SGS_CLUSTER_COMPOSITE_OPS").indexPermissions("SGS_READ").on("resolve_test_*").indexPermissions("indices:data/read/search/template").on("*"));
    private static TestSgConfig.User HIDDEN_TEST_USER = new TestSgConfig.User("hidden_test_user").roles(new TestSgConfig.Role("hidden_test_user_role").clusterPermissions("SGS_CLUSTER_COMPOSITE_OPS").indexPermissions("*").on("hidden_test_not_hidden"));
    private static TestCertificates certificatesContext = TestCertificates.builder().ca("CN=root.ca.example.com,OU=SearchGuard,O=SearchGuard").addNodes("CN=node-0.example.com,OU=SearchGuard,O=SearchGuard").addClients("CN=client-0.example.com,OU=SearchGuard,O=SearchGuard").addAdminClients("CN=admin-0.example.com,OU=SearchGuard,O=SearchGuard").build();

    @ClassRule
    public static LocalCluster.Embedded anotherCluster = new LocalCluster.Builder().singleNode().sslEnabled(certificatesContext).user("resolve_test_user", "secret", new TestSgConfig.Role("resolve_test_user_role").indexPermissions("*").on("resolve_test_allow_*")).embedded().build();

    @ClassRule
    public static LocalCluster.Embedded cluster = new LocalCluster.Builder().singleNode().sslEnabled(certificatesContext).remote("my_remote", anotherCluster).user("resolve_test_user", "secret", new TestSgConfig.Role("resolve_test_user_role").indexPermissions("*").on("resolve_test_allow_*").indexPermissions("*").on("/alias_resolve_test_index_allow_.*/")).user("admin", "admin", new TestSgConfig.Role("admin_role").clusterPermissions("*")).user("permssion_rest_api_user", "secret", new TestSgConfig.Role("permssion_rest_api_user_role").clusterPermissions("indices:data/read/mtv")).user("limited_test_user_basic", "secret", new TestSgConfig.Role("role").clusterPermissions("*").indexPermissions("*").on("exclude_test_*")).users(SEARCH_TEMPLATE_USER, SEARCH_NO_TEMPLATE_USER, SEARCH_TEMPLATE_LEGACY_USER).embedded().build();

    @ClassRule
    public static LocalCluster.Embedded clusterFof = new LocalCluster.Builder().singleNode().sslEnabled(certificatesContext).remote("my_remote", anotherCluster).ignoreUnauthorizedIndices(false).user("resolve_test_user", "secret", new TestSgConfig.Role("resolve_test_user_role").indexPermissions("*").on("resolve_test_allow_*").indexPermissions("*").on("/alias_resolve_test_index_allow_.*/")).users(RESIZE_USER, RESIZE_USER_WITHOUT_CREATE_INDEX_PRIV, NEG_LOOKAHEAD_USER, REGEX_USER, HIDDEN_TEST_USER).embedded().build();

    @BeforeClass
    public static void setupTestData() {
        Client internalNodeClient = cluster.getInternalNodeClient();
        internalNodeClient.index(new IndexRequest("resolve_test_allow_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "resolve_test_allow_1", "b", "y", "date", "1985/01/01"})).actionGet();
        internalNodeClient.index(new IndexRequest("resolve_test_allow_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "resolve_test_allow_2", "b", "yy", "date", "1985/01/01"})).actionGet();
        internalNodeClient.index(new IndexRequest("resolve_test_disallow_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "resolve_test_disallow_1", "b", "yy", "date", "1985/01/01"})).actionGet();
        internalNodeClient.index(new IndexRequest("resolve_test_disallow_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "resolve_test_disallow_2", "b", "yy", "date", "1985/01/01"})).actionGet();
        internalNodeClient.index(new IndexRequest("alias_resolve_test_index_allow_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "alias_resolve_test_index_allow_1", "b", "y", "date", "1985/01/01"})).actionGet();
        internalNodeClient.index(new IndexRequest("alias_resolve_test_index_allow_aliased_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "alias_resolve_test_index_allow_aliased_1", "b", "y", "date", "1985/01/01"})).actionGet();
        internalNodeClient.index(new IndexRequest("alias_resolve_test_index_allow_aliased_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "alias_resolve_test_index_allow_aliased_2", "b", "y", "date", "1985/01/01"})).actionGet();
        internalNodeClient.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(IndicesAliasesRequest.AliasActions.add().alias("alias_resolve_test_alias_1").index("alias_resolve_test_*"))).actionGet();
        Client internalNodeClient2 = clusterFof.getInternalNodeClient();
        internalNodeClient2.index(new IndexRequest("resolve_test_allow_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "resolve_test_allow_1", "b", "y", "date", "1985/01/01"})).actionGet();
        internalNodeClient2.index(new IndexRequest("resolve_test_allow_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "resolve_test_allow_2", "b", "yy", "date", "1985/01/01"})).actionGet();
        internalNodeClient2.index(new IndexRequest("resolve_test_disallow_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "resolve_test_disallow_1", "b", "yy", "date", "1985/01/01"})).actionGet();
        internalNodeClient2.index(new IndexRequest("resolve_test_disallow_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "resolve_test_disallow_2", "b", "yy", "date", "1985/01/01"})).actionGet();
        internalNodeClient2.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(new IndicesAliasesRequest.AliasActions(IndicesAliasesRequest.AliasActions.Type.ADD).alias("resolve_test_allow_alias").indices(new String[]{"resolve_test_*"}))).actionGet();
        internalNodeClient2.index(new IndexRequest("hidden_test_not_hidden").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "hidden_test_not_hidden", "b", "y", "date", "1985/01/01"})).actionGet();
        internalNodeClient2.admin().indices().create(new CreateIndexRequest(".hidden_test_actually_hidden").settings(ImmutableMap.of("index.hidden", true))).actionGet();
        internalNodeClient2.index(new IndexRequest(".hidden_test_actually_hidden").id("test").source(new Object[]{"a", "b"}).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE)).actionGet();
        Client internalNodeClient3 = anotherCluster.getInternalNodeClient();
        internalNodeClient3.index(new IndexRequest("resolve_test_allow_remote_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"a", "x", "b", "y", "date", "1985/01/01"})).actionGet();
        internalNodeClient3.index(new IndexRequest("resolve_test_allow_remote_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"a", "xx", "b", "yy", "date", "1985/01/01"})).actionGet();
        internalNodeClient3.index(new IndexRequest("resolve_test_disallow_remote_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"a", "xx", "b", "yy", "date", "1985/01/01"})).actionGet();
        internalNodeClient3.index(new IndexRequest("resolve_test_disallow_remote_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"a", "xx", "b", "yy", "date", "1985/01/01"})).actionGet();
    }

    @Test
    public void detailsAboutMissingPermissions_shouldBeReturnedOnlyWhenAuthzDebugIsEnabled() throws Exception {
        GenericRestClient adminCertRestClient = cluster.getAdminCertRestClient();
        try {
            GenericRestClient restClient = cluster.getRestClient("limited_test_user_basic", "secret", new Header[0]);
            try {
                GenericRestClient.HttpResponse httpResponse = (GenericRestClient.HttpResponse) cluster.callAndRestoreConfig(CType.AUTHZ, () -> {
                    MatcherAssert.assertThat(adminCertRestClient.putJson("/_searchguard/config/authz", (Document<?>) DocNode.of("debug", true)), RestMatchers.isOk());
                    GenericRestClient.HttpResponse httpResponse2 = restClient.get("alias_resolve_test_alias_1", new Header[0]);
                    MatcherAssert.assertThat(httpResponse2, RestMatchers.isForbidden());
                    MatcherAssert.assertThat(httpResponse2.getBody(), httpResponse2.getBodyAsDocNode(), DocNodeMatchers.containsFieldPointedByJsonPath("error", "missing_permissions"));
                    MatcherAssert.assertThat(adminCertRestClient.putJson("/_searchguard/config/authz", (Document<?>) DocNode.EMPTY), RestMatchers.isOk());
                    return restClient.get("alias_resolve_test_alias_1", new Header[0]);
                });
                MatcherAssert.assertThat(httpResponse, RestMatchers.isForbidden());
                MatcherAssert.assertThat(httpResponse.getBody(), httpResponse.getBodyAsDocNode(), Matchers.not(DocNodeMatchers.containsFieldPointedByJsonPath("error", "missing_permissions")));
                if (restClient != null) {
                    restClient.close();
                }
                if (adminCertRestClient != null) {
                    adminCertRestClient.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (adminCertRestClient != null) {
                try {
                    adminCertRestClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void resolveTestRemote() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("resolve_test_user", "secret", new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_resolve/index/my_remote:resolve_test_*", new Header[0]);
            MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            MatcherAssert.assertThat(httpResponse, RestMatchers.json(RestMatchers.nodeAt("indices[*].name", Matchers.contains(new String[]{"my_remote:resolve_test_allow_remote_1", "my_remote:resolve_test_allow_remote_2"}))));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void resolveTestLocalRemoteMixed() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("resolve_test_user", "secret", new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/_resolve/index/resolve_test_*,my_remote:resolve_test_*_remote_*", new Header[0]);
            MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            MatcherAssert.assertThat(httpResponse, RestMatchers.json(RestMatchers.nodeAt("indices[*].name", Matchers.contains(new String[]{"resolve_test_allow_1", "resolve_test_allow_2", "my_remote:resolve_test_allow_remote_1", "my_remote:resolve_test_allow_remote_2"}))));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void readAliasAndIndexMixed() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("resolve_test_user", "secret", new Header[0]);
        try {
            GenericRestClient.HttpResponse httpResponse = restClient.get("/alias_resolve_test_*/_search", new Header[0]);
            MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
            MatcherAssert.assertThat(httpResponse, RestMatchers.json(RestMatchers.nodeAt("hits.hits[*]._source.index", Matchers.containsInAnyOrder(new String[]{"alias_resolve_test_index_allow_aliased_1", "alias_resolve_test_index_allow_aliased_2", "alias_resolve_test_index_allow_1"}))));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void permissionApi_evaluateClusterAndTenantPrivileges() throws Exception {
        GenericRestClient restClient = cluster.getRestClient("admin", "admin", new Header[0]);
        try {
            GenericRestClient restClient2 = cluster.getRestClient("permssion_rest_api_user", "secret", new Header[0]);
            try {
                GenericRestClient.HttpResponse httpResponse = restClient.get("/_searchguard/permission?permissions=indices:data/read/mtv,indices:data/read/viva", new Header[0]);
                MatcherAssert.assertThat(httpResponse, RestMatchers.isOk());
                MatcherAssert.assertThat(httpResponse, RestMatchers.json(RestMatchers.nodeAt("permissions['indices:data/read/mtv']", Matchers.equalTo(true))));
                MatcherAssert.assertThat(httpResponse, RestMatchers.json(RestMatchers.nodeAt("permissions['indices:data/read/viva']", Matchers.equalTo(true))));
                GenericRestClient.HttpResponse httpResponse2 = restClient2.get("/_searchguard/permission?permissions=indices:data/read/mtv,indices:data/read/viva", new Header[0]);
                MatcherAssert.assertThat(httpResponse2, RestMatchers.isOk());
                MatcherAssert.assertThat(httpResponse2, RestMatchers.json(RestMatchers.nodeAt("permissions['indices:data/read/mtv']", Matchers.equalTo(true))));
                MatcherAssert.assertThat(httpResponse2, RestMatchers.json(RestMatchers.nodeAt("permissions['indices:data/read/viva']", Matchers.equalTo(false))));
                if (restClient2 != null) {
                    restClient2.close();
                }
                if (restClient != null) {
                    restClient.close();
                }
            } catch (Throwable th) {
                if (restClient2 != null) {
                    try {
                        restClient2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (Throwable th3) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    @Test
    public void testResizeAction() throws Exception {
        String str = "resize_test_source";
        String str2 = "resize_test_target";
        Client internalNodeClient = clusterFof.getInternalNodeClient();
        internalNodeClient.admin().indices().create(new CreateIndexRequest("resize_test_source").settings(Settings.builder().put("index.number_of_shards", 5).build())).actionGet();
        internalNodeClient.index(new IndexRequest("resize_test_source").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "a", "b", "y", "date", "1985/01/01"})).actionGet();
        internalNodeClient.admin().indices().updateSettings(new UpdateSettingsRequest(new String[]{"resize_test_source"}).settings(Settings.builder().put("index.blocks.write", true).build())).actionGet();
        Thread.sleep(300L);
        RestHighLevelClient restHighLevelClient = clusterFof.getRestHighLevelClient(RESIZE_USER_WITHOUT_CREATE_INDEX_PRIV);
        try {
            ThrowableAssert.assertThatThrown(() -> {
                restHighLevelClient.getJavaClient().indices().shrink(builder -> {
                    return builder.index("whatever").target(str2);
                });
            }, new Matcher[]{Matchers.instanceOf(ElasticsearchException.class), ExceptionsMatchers.messageContainsMatcher("Insufficient permissions")});
            if (restHighLevelClient != null) {
                restHighLevelClient.close();
            }
            restHighLevelClient = clusterFof.getRestHighLevelClient(RESIZE_USER_WITHOUT_CREATE_INDEX_PRIV);
            try {
                ThrowableAssert.assertThatThrown(() -> {
                    restHighLevelClient.getJavaClient().indices().shrink(builder -> {
                        return builder.index(str).target(str2);
                    });
                }, new Matcher[]{Matchers.instanceOf(ElasticsearchException.class), ExceptionsMatchers.messageContainsMatcher("Insufficient permissions")});
                if (restHighLevelClient != null) {
                    restHighLevelClient.close();
                }
                restHighLevelClient = clusterFof.getRestHighLevelClient(RESIZE_USER);
                try {
                    ThrowableAssert.assertThatThrown(() -> {
                        restHighLevelClient.getJavaClient().indices().shrink(builder -> {
                            return builder.index("whatever").target(str2);
                        });
                    }, new Matcher[]{Matchers.instanceOf(ElasticsearchException.class), ExceptionsMatchers.messageContainsMatcher("Insufficient permissions")});
                    if (restHighLevelClient != null) {
                        restHighLevelClient.close();
                    }
                    RestHighLevelClient restHighLevelClient2 = clusterFof.getRestHighLevelClient(RESIZE_USER);
                    try {
                        ShrinkResponse shrink = restHighLevelClient2.getJavaClient().indices().shrink(builder -> {
                            return builder.index(str).target(str2);
                        });
                        MatcherAssert.assertThat(shrink.toString(), Boolean.valueOf(shrink.acknowledged()), Matchers.is(true));
                        if (restHighLevelClient2 != null) {
                            restHighLevelClient2.close();
                        }
                        MatcherAssert.assertThat(Boolean.valueOf(((GetIndexResponse) clusterFof.getInternalNodeClient().admin().indices().getIndex(new GetIndexRequest().indices(new String[]{"resize_test_target"})).actionGet()).indices().length > 0), Matchers.is(true));
                    } finally {
                        if (restHighLevelClient2 != null) {
                            try {
                                restHighLevelClient2.close();
                            } catch (Throwable th) {
                                th.addSuppressed(th);
                            }
                        }
                    }
                } finally {
                    if (restHighLevelClient != null) {
                        try {
                            restHighLevelClient.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                }
            } finally {
            }
        } finally {
        }
    }
}
