package com.floragunn.searchguard.authz;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.Format;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.SearchGuardModulesRegistry;
import com.floragunn.searchguard.authz.PrivilegesEvaluationResult;
import com.floragunn.searchguard.authz.actions.Action;
import com.floragunn.searchguard.authz.actions.ActionRequestIntrospector;
import com.floragunn.searchguard.authz.actions.Actions;
import com.floragunn.searchguard.authz.actions.ResolvedIndices;
import com.floragunn.searchguard.authz.config.ActionGroup;
import com.floragunn.searchguard.authz.config.Role;
import com.floragunn.searchguard.configuration.CType;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.meta.Meta;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.stream.Collectors;
import org.elasticsearch.common.unit.ByteSizeUnit;
import org.elasticsearch.common.unit.ByteSizeValue;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.junit.runners.Suite;

@RunWith(Suite.class)
@Suite.SuiteClasses({ClusterPermissions.class, IndexPermissions.class, IndexPermissionsSpecial.class, AliasPermissions.class, AliasPermissionsSpecial.class, DataStreamPermissions.class})
/* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorizationTests.class */
public class RoleBasedActionAuthorizationTests {
    private static final Actions actions = new Actions((SearchGuardModulesRegistry) null);
    private static final ByteSizeValue STATEFUL_SIZE = new ByteSizeValue(10, ByteSizeUnit.MB);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorizationTests$ActionSpec.class */
    public static class ActionSpec {
        String name;
        ImmutableList<String> givenPrivs;
        ImmutableSet<Action> requiredPrivs;
        Action primaryAction;
        boolean wellKnownActions;

        ActionSpec(String str) {
            this.name = str;
        }

        ActionSpec givenPrivs(String... strArr) {
            this.givenPrivs = ImmutableList.ofArray(strArr);
            return this;
        }

        ActionSpec requiredPrivs(String... strArr) {
            this.requiredPrivs = ImmutableSet.ofArray(strArr).map(str -> {
                return RoleBasedActionAuthorizationTests.actions.get(str);
            });
            this.primaryAction = RoleBasedActionAuthorizationTests.actions.get(strArr[0]);
            this.wellKnownActions = this.requiredPrivs.forAnyApplies(action -> {
                return action instanceof Action.WellKnownAction;
            });
            return this;
        }

        public String toString() {
            return this.name;
        }
    }

    @RunWith(Parameterized.class)
    /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorizationTests$AliasPermissions.class */
    public static class AliasPermissions {
        final ActionSpec actionSpec;
        final IndexSpec indexSpec;
        final SgDynamicConfiguration<Role> roles;
        final Action primaryAction;
        final ImmutableSet<Action> requiredActions;
        final ImmutableSet<Action> otherActions;
        final RoleBasedActionAuthorization subject;
        final User user = User.forUser("test").attribute("dept_no", "a1").build();
        static final Meta BASIC = Meta.Mock.indices(new String[]{"index_a11", "index_a12", "index_a21", "index_a22", "index_b1", "index_b2"}).alias("alias_a").of(new String[]{"index_a11", "index_a12", "index_a21", "index_a22"}).alias("alias_a1").of(new String[]{"index_a11", "index_a12"}).alias("alias_a2").of(new String[]{"index_a21", "index_a22"}).alias("alias_b").of(new String[]{"index_b1", "index_b2"});

        @Test
        public void positive_alias_full() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"alias_a1"}), Action.Scope.INDEX_LIKE);
            if (!this.indexSpec.givenAliasPrivs.isEmpty()) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
            } else if (this.indexSpec.wildcardPrivs) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK_WHEN_RESOLVED);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("index_a11", "index_a12")));
            } else {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("index_a11")));
            }
        }

        @Test
        public void positive_index_full() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"index_a11"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
        }

        @Test
        public void positive_alias_partial() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"alias_a1", "alias_a2", "alias_b"}));
            if (this.indexSpec.aliasWildcardPrivs) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
                return;
            }
            if (this.indexSpec.wildcardPrivs) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK_WHEN_RESOLVED);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("index_b1", new String[]{"index_b2", "index_a12", "index_a11", "index_a22", "index_a21"})));
                return;
            }
            if (this.indexSpec.givenAliasPrivs.contains("alias_a*") && this.indexSpec.givenAliasPrivs.contains("-alias_a2")) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("alias_a1")));
                return;
            }
            if (this.indexSpec.givenAliasPrivs.contains("alias_a*")) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("alias_a1", "alias_a2")));
            } else if (this.indexSpec.givenAliasPrivs.isEmpty() && this.indexSpec.givenIndexPrivs.equals(ImmutableList.of("index_a11"))) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("index_a11")));
            } else {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("alias_a1")));
            }
        }

        @Test
        public void positive_index_partial() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"index_a11", "index_a12", "index_a21", "index_b1"}), Action.Scope.INDEX_LIKE);
            if (this.indexSpec.wildcardPrivs || this.indexSpec.aliasWildcardPrivs) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
                return;
            }
            if (this.indexSpec.givenAliasPrivs.contains("alias_a*") && !this.indexSpec.givenAliasPrivs.contains("-alias_a")) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("index_a11", new String[]{"index_a12", "index_a21"})));
            } else if (this.indexSpec.givenAliasPrivs.isEmpty() && this.indexSpec.givenIndexPrivs.equals(ImmutableList.of("index_a11"))) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("index_a11")));
            } else {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("index_a11", "index_a12")));
            }
        }

        @Test
        public void negative_wrongRole() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "other_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"index_a11"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        }

        @Test
        public void negative_wrongAction() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), (Action) this.otherActions.any(), this.otherActions, ResolvedIndices.of(BASIC, new String[]{"index_a11"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        }

        @Test
        public void negative_wrongRole_alias() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "other_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"alias_a1"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        }

        @Test
        public void negative_wrongAction_alias() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), (Action) this.otherActions.any(), this.otherActions, ResolvedIndices.of(BASIC, new String[]{"alias_a1"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        }

        @Parameterized.Parameters(name = "{0};  actions: {1};  {2}")
        public static Collection<Object[]> params() {
            ArrayList arrayList = new ArrayList();
            for (IndexSpec indexSpec : Arrays.asList(new IndexSpec().givenIndexPrivs("*"), new IndexSpec().givenAliasPrivs("*"), new IndexSpec().givenAliasPrivs("alias_a1"), new IndexSpec().givenAliasPrivs("alias_a*"), new IndexSpec().givenAliasPrivs("alias_${user.attrs.dept_no}"), new IndexSpec().givenAliasPrivs("alias_a*", "-alias_a2", "-alias_a"), new IndexSpec().givenIndexPrivs("index_a11"))) {
                for (ActionSpec actionSpec : Arrays.asList(new ActionSpec("constant, well known").givenPrivs("indices:data/read/search").requiredPrivs("indices:data/read/search"), new ActionSpec("pattern, well known").givenPrivs("indices:data/read/*").requiredPrivs("indices:data/read/search"), new ActionSpec("pattern, well known, two required privs").givenPrivs("indices:data/read/*").requiredPrivs("indices:data/read/search", "indices:data/read/get"), new ActionSpec("constant, non well known").givenPrivs("indices:unknown/unwell").requiredPrivs("indices:unknown/unwell"), new ActionSpec("pattern, non well known").givenPrivs("indices:unknown/*").requiredPrivs("indices:unknown/unwell"), new ActionSpec("pattern, non well known, two required privs").givenPrivs("indices:unknown/*").requiredPrivs("indices:unknown/unwell", "indices:unknown/notatall"))) {
                    for (Statefulness statefulness : Statefulness.values()) {
                        arrayList.add(new Object[]{indexSpec, actionSpec, statefulness});
                    }
                }
            }
            return arrayList;
        }

        public AliasPermissions(IndexSpec indexSpec, ActionSpec actionSpec, Statefulness statefulness) throws Exception {
            this.indexSpec = indexSpec;
            this.actionSpec = actionSpec;
            this.roles = indexSpec.toRolesConfig(actionSpec);
            this.primaryAction = actionSpec.primaryAction;
            this.requiredActions = actionSpec.requiredPrivs;
            this.otherActions = actionSpec.wellKnownActions ? ImmutableSet.of(RoleBasedActionAuthorizationTests.actions.get("indices:data/write/update")) : ImmutableSet.of(RoleBasedActionAuthorizationTests.actions.get("indices:foobar/unknown"));
            this.subject = new RoleBasedActionAuthorization(this.roles, ActionGroup.FlattenedIndex.EMPTY, RoleBasedActionAuthorizationTests.actions, statefulness == Statefulness.STATEFUL ? BASIC : null, ImmutableSet.empty(), RoleBasedActionAuthorizationTests.STATEFUL_SIZE);
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorizationTests$AliasPermissionsSpecial.class */
    public static class AliasPermissionsSpecial {
        @Test
        public void wellKnown_constantAction_constantAlias_statefulIndices() throws Exception {
            Action action = RoleBasedActionAuthorizationTests.actions.get("indices:data/write/index");
            Assert.assertTrue(action.toString(), action instanceof Action.WellKnownAction);
            SgDynamicConfiguration sgDynamicConfiguration = (SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role:\n  alias_permissions:\n  - alias_patterns: ['alias_constant_a']\n    allowed_actions: ['indices:data/write/index']"), CType.ROLES, (ConfigurationRepository.Context) null).get();
            ImmutableSet empty = ImmutableSet.empty();
            Meta of = Meta.Mock.indices(new String[]{"index_a1", "index_a2", "index_b1", "index_b2"}).alias("alias_constant_a").of(new String[]{"index_a1", "index_a2"});
            RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization(sgDynamicConfiguration, ActionGroup.FlattenedIndex.EMPTY, RoleBasedActionAuthorizationTests.actions, of, empty, RoleBasedActionAuthorizationTests.STATEFUL_SIZE);
            User build = User.forUser("test").build();
            PrivilegesEvaluationResult hasIndexPermission = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), action, ImmutableSet.of(action), ResolvedIndices.of(of, new String[]{"alias_constant_a"}));
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
            PrivilegesEvaluationResult hasIndexPermission2 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), action, ImmutableSet.of(action), ResolvedIndices.of(of, new String[]{"index_a1"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getStatus() == PrivilegesEvaluationResult.Status.OK);
            PrivilegesEvaluationResult hasIndexPermission3 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), action, ImmutableSet.of(action), ResolvedIndices.of(of, new String[]{"alias_constant_a", "index_b1"}));
            Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
            Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getAvailableIndices().equals(ImmutableSet.of("alias_constant_a")));
            PrivilegesEvaluationResult hasIndexPermission4 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), action, ImmutableSet.of(action), ResolvedIndices.of(of, new String[]{"index_a1", "index_b1"}));
            Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
            Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getAvailableIndices().equals(ImmutableSet.of("index_a1")));
            PrivilegesEvaluationResult hasIndexPermission5 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "other_role"), action, ImmutableSet.of(action), ResolvedIndices.of(of, new String[]{"alias_constant_a", "index_b1"}));
            Assert.assertTrue(hasIndexPermission5.toString(), hasIndexPermission5.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        }

        @Test
        public void wellKnown_constantAction_indexPattern_statefulIndices() throws Exception {
            Action action = RoleBasedActionAuthorizationTests.actions.get("indices:data/read/search");
            Assert.assertTrue(action.toString(), action instanceof Action.WellKnownAction);
            SgDynamicConfiguration sgDynamicConfiguration = (SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role:\n  alias_permissions:\n  - alias_patterns: ['alias_a*']\n    allowed_actions: ['indices:data/read/search']"), CType.ROLES, (ConfigurationRepository.Context) null).get();
            ImmutableSet empty = ImmutableSet.empty();
            Meta of = Meta.Mock.indices(new String[]{"index_a11", "index_a12", "index_a21", "index_a22", "index_b1", "index_b2"}).alias("alias_a1").of(new String[]{"index_a11", "index_a12"}).alias("alias_a2").of(new String[]{"index_a21", "index_a22"}).alias("alias_b").of(new String[]{"index_b1", "index_b2"});
            RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization(sgDynamicConfiguration, ActionGroup.FlattenedIndex.EMPTY, RoleBasedActionAuthorizationTests.actions, of, empty, RoleBasedActionAuthorizationTests.STATEFUL_SIZE);
            User build = User.forUser("test").build();
            PrivilegesEvaluationResult hasIndexPermission = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), action, ImmutableSet.of(action), ResolvedIndices.of(of, new String[]{"alias_a1"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
            PrivilegesEvaluationResult hasIndexPermission2 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), action, ImmutableSet.of(action), ResolvedIndices.of(of, new String[]{"index_a11"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getStatus() == PrivilegesEvaluationResult.Status.OK);
            PrivilegesEvaluationResult hasIndexPermission3 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), action, ImmutableSet.of(action), ResolvedIndices.of(of, new String[]{"alias_a1", "alias_b"}));
            Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
            Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getAvailableIndices().equals(ImmutableSet.of("alias_a1")));
            PrivilegesEvaluationResult hasIndexPermission4 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), action, ImmutableSet.of(action), ResolvedIndices.of(of, new String[]{"alias_a1", "index_b1"}));
            Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
            Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getAvailableIndices().equals(ImmutableSet.of("alias_a1")));
            PrivilegesEvaluationResult hasIndexPermission5 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), action, ImmutableSet.of(action), ResolvedIndices.of(of, new String[]{"index_a11", "index_b1"}));
            Assert.assertTrue(hasIndexPermission5.toString(), hasIndexPermission5.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
            Assert.assertTrue(hasIndexPermission5.toString(), hasIndexPermission5.getAvailableIndices().equals(ImmutableSet.of("index_a11")));
            PrivilegesEvaluationResult hasIndexPermission6 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "other_role"), action, ImmutableSet.of(action), ResolvedIndices.of(of, new String[]{"alias_a1", "index_b1"}));
            Assert.assertTrue(hasIndexPermission6.toString(), hasIndexPermission6.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorizationTests$ClusterPermissions.class */
    public static class ClusterPermissions {
        @Test
        public void clusterAction_wellKnown() throws Exception {
            Action action = RoleBasedActionAuthorizationTests.actions.get("cluster:monitor/nodes/stats");
            Action action2 = RoleBasedActionAuthorizationTests.actions.get("cluster:monitor/nodes/usage");
            Assert.assertTrue(action.toString(), action instanceof Action.WellKnownAction);
            RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.of("test_role", DocNode.of("cluster_permissions", Arrays.asList("cluster:monitor/nodes/stats*"))), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, RoleBasedActionAuthorizationTests.actions, (Meta) null, ImmutableSet.empty(), RoleBasedActionAuthorizationTests.STATEFUL_SIZE);
            User build = User.forUser("test").build();
            Assert.assertTrue(roleBasedActionAuthorization.hasClusterPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), action).isOk());
            Assert.assertFalse(roleBasedActionAuthorization.hasClusterPermission(RoleBasedActionAuthorizationTests.ctx(build, "other_role"), action).isOk());
            Assert.assertFalse(roleBasedActionAuthorization.hasClusterPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), action2).isOk());
        }

        @Test
        public void clusterAction_notWellKnown() throws Exception {
            Action action = RoleBasedActionAuthorizationTests.actions.get("cluster:monitor/nodes/stats/somethingnotwellknown");
            Action action2 = RoleBasedActionAuthorizationTests.actions.get("cluster:monitor/nodes/usage/somethingnotwellknown");
            Assert.assertFalse(action.toString(), action instanceof Action.WellKnownAction);
            RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.of("test_role", DocNode.of("cluster_permissions", Arrays.asList("cluster:monitor/nodes/stats*"))), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, RoleBasedActionAuthorizationTests.actions, (Meta) null, ImmutableSet.empty(), RoleBasedActionAuthorizationTests.STATEFUL_SIZE);
            User build = User.forUser("test").build();
            Assert.assertTrue(roleBasedActionAuthorization.hasClusterPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), action).isOk());
            Assert.assertFalse(roleBasedActionAuthorization.hasClusterPermission(RoleBasedActionAuthorizationTests.ctx(build, "other_role"), action).isOk());
            Assert.assertFalse(roleBasedActionAuthorization.hasClusterPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), action2).isOk());
        }

        @Test
        public void clusterAction_exclusion() throws Exception {
            Action action = RoleBasedActionAuthorizationTests.actions.get("cluster:monitor/nodes/stats");
            Action action2 = RoleBasedActionAuthorizationTests.actions.get("cluster:monitor/nodes/usage");
            Action action3 = RoleBasedActionAuthorizationTests.actions.get("cluster:monitor/nodes/stats/not_well_known");
            Assert.assertTrue(action.toString(), action instanceof Action.WellKnownAction);
            Assert.assertTrue(action2.toString(), action2 instanceof Action.WellKnownAction);
            Assert.assertFalse(action3.toString(), action3 instanceof Action.WellKnownAction);
            RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role1:\n  cluster_permissions:\n  - 'cluster:monitor/*'\n  exclude_cluster_permissions:\n  - 'cluster:monitor/nodes/stats*'\n"), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, RoleBasedActionAuthorizationTests.actions, (Meta) null, ImmutableSet.empty(), RoleBasedActionAuthorizationTests.STATEFUL_SIZE);
            User build = User.forUser("test").build();
            Assert.assertTrue(roleBasedActionAuthorization.hasClusterPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role1"), action2).isOk());
            Assert.assertFalse(roleBasedActionAuthorization.hasClusterPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role1"), action).isOk());
            Assert.assertFalse(roleBasedActionAuthorization.hasClusterPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role1"), action3).isOk());
        }
    }

    @RunWith(Parameterized.class)
    /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorizationTests$DataStreamPermissions.class */
    public static class DataStreamPermissions {
        final ActionSpec actionSpec;
        final IndexSpec indexSpec;
        final SgDynamicConfiguration<Role> roles;
        final Action primaryAction;
        final ImmutableSet<Action> requiredActions;
        final ImmutableSet<Action> otherActions;
        final RoleBasedActionAuthorization subject;
        final User user = User.forUser("test").attribute("dept_no", "a1").build();
        static final Meta BASIC = Meta.Mock.dataStream("datastream_a1").of(new String[]{".ds-datastream_a1-xyz-0001", ".ds-datastream_a1-xyz-0002"}).dataStream("datastream_a2").of(new String[]{".ds-datastream_a2-xyz-0001", ".ds-datastream_a2-xyz-0002"}).dataStream("datastream_b1").of(new String[]{".ds-datastream_b1-xyz-0001", ".ds-datastream_b1-xyz-0002"}).dataStream("datastream_b2").of(new String[]{".ds-datastream_b2-xyz-0001", ".ds-datastream_b2-xyz-0002"}).alias("datastream_a").of(new String[]{"datastream_a1", "datastream_a2"});

        @Test
        public void positive_datastream_full() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"datastream_a1"}), Action.Scope.INDEX_LIKE);
            if (!this.indexSpec.givenDataStreamPrivs.isEmpty() || this.indexSpec.dataStreamWildcardPrivs || this.indexSpec.aliasWildcardPrivs || this.indexSpec.givenAliasPrivs.contains("datastream_a")) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
            } else {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK_WHEN_RESOLVED);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of(".ds-datastream_a1-xyz-0001", ".ds-datastream_a1-xyz-0002")));
            }
        }

        @Test
        public void positive_index_full() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{".ds-datastream_a1-xyz-0002"}));
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
        }

        @Test
        public void positive_alias_full() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"datastream_a"}), Action.Scope.INDEX_LIKE);
            if (this.indexSpec.aliasWildcardPrivs || this.indexSpec.givenAliasPrivs.contains("datastream_a")) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
                return;
            }
            if (this.indexSpec.givenDataStreamPrivs.contains("datastream_a1") || this.indexSpec.givenDataStreamPrivs.contains("datastream_${user.attrs.dept_no}") || (this.indexSpec.givenDataStreamPrivs.contains("datastream_a*") && this.indexSpec.givenDataStreamPrivs.contains("-datastream_a2"))) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("datastream_a1")));
                return;
            }
            if (this.indexSpec.dataStreamWildcardPrivs || this.indexSpec.givenDataStreamPrivs.contains("datastream_a*")) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK_WHEN_RESOLVED);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("datastream_a1", "datastream_a2")));
            } else if (this.indexSpec.givenIndexPrivs.contains(".ds-datastream_a1*")) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of(".ds-datastream_a1-xyz-0001", ".ds-datastream_a1-xyz-0002")));
            } else {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK_WHEN_RESOLVED);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of(".ds-datastream_a1-xyz-0001", new String[]{".ds-datastream_a1-xyz-0002", ".ds-datastream_a2-xyz-0001", ".ds-datastream_a2-xyz-0002"})));
            }
        }

        @Test
        public void positive_datastream_partial() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"datastream_a1", "datastream_a2", "datastream_b1"}), Action.Scope.INDEX_LIKE);
            if (this.indexSpec.dataStreamWildcardPrivs) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
                return;
            }
            if (this.indexSpec.wildcardPrivs) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK_WHEN_RESOLVED);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of(".ds-datastream_a1-xyz-0001", new String[]{".ds-datastream_a1-xyz-0002", ".ds-datastream_a2-xyz-0001", ".ds-datastream_a2-xyz-0002", ".ds-datastream_b1-xyz-0001", ".ds-datastream_b1-xyz-0002"})));
                return;
            }
            if (this.indexSpec.givenDataStreamPrivs.contains("datastream_a*") && this.indexSpec.givenDataStreamPrivs.contains("-datastream_a2")) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("datastream_a1")));
                return;
            }
            if (this.indexSpec.givenDataStreamPrivs.contains("datastream_a*") || this.indexSpec.aliasWildcardPrivs || this.indexSpec.givenAliasPrivs.contains("datastream_a")) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("datastream_a1", "datastream_a2")));
            } else if (this.indexSpec.givenIndexPrivs.contains(".ds-datastream_a1*")) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of(".ds-datastream_a1-xyz-0001", ".ds-datastream_a1-xyz-0002")));
            } else {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("datastream_a1")));
            }
        }

        @Test
        public void positive_index_partial() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{".ds-datastream_a1-xyz-0001", ".ds-datastream_b1-xyz-0001"}), Action.Scope.INDEX_LIKE);
            if (this.indexSpec.wildcardPrivs || this.indexSpec.dataStreamWildcardPrivs) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
            } else {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of(".ds-datastream_a1-xyz-0001")));
            }
        }

        @Test
        public void negative_wrongRole() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "other_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"datastream_a1"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        }

        @Test
        public void negative_wrongAction() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), (Action) this.otherActions.any(), this.otherActions, ResolvedIndices.of(BASIC, new String[]{"datastream_a1"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        }

        @Test
        public void negative_wrongRole_alias() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "other_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"datastream_a"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        }

        @Test
        public void negative_wrongAction_alias() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), (Action) this.otherActions.any(), this.otherActions, ResolvedIndices.of(BASIC, new String[]{"datastream_a"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        }

        @Parameterized.Parameters(name = "{0};  actions: {1};  {2}")
        public static Collection<Object[]> params() {
            ArrayList arrayList = new ArrayList();
            for (IndexSpec indexSpec : Arrays.asList(new IndexSpec().givenIndexPrivs("*"), new IndexSpec().givenAliasPrivs("*"), new IndexSpec().givenDataStreamPrivs("*"), new IndexSpec().givenDataStreamPrivs("datastream_a1"), new IndexSpec().givenDataStreamPrivs("datastream_a*"), new IndexSpec().givenDataStreamPrivs("datastream_${user.attrs.dept_no}"), new IndexSpec().givenDataStreamPrivs("datastream_a*", "-datastream_a2"), new IndexSpec().givenAliasPrivs("datastream_a"), new IndexSpec().givenIndexPrivs(".ds-datastream_a1*"))) {
                for (ActionSpec actionSpec : Arrays.asList(new ActionSpec("constant, well known").givenPrivs("indices:data/read/search").requiredPrivs("indices:data/read/search"), new ActionSpec("pattern, well known").givenPrivs("indices:data/read/*").requiredPrivs("indices:data/read/search"), new ActionSpec("pattern, well known, two required privs").givenPrivs("indices:data/read/*").requiredPrivs("indices:data/read/search", "indices:data/read/get"), new ActionSpec("constant, non well known").givenPrivs("indices:unknown/unwell").requiredPrivs("indices:unknown/unwell"), new ActionSpec("pattern, non well known").givenPrivs("indices:unknown/*").requiredPrivs("indices:unknown/unwell"), new ActionSpec("pattern, non well known, two required privs").givenPrivs("indices:unknown/*").requiredPrivs("indices:unknown/unwell", "indices:unknown/notatall"))) {
                    for (Statefulness statefulness : Statefulness.values()) {
                        arrayList.add(new Object[]{indexSpec, actionSpec, statefulness});
                    }
                }
            }
            return arrayList;
        }

        public DataStreamPermissions(IndexSpec indexSpec, ActionSpec actionSpec, Statefulness statefulness) throws Exception {
            this.indexSpec = indexSpec;
            this.actionSpec = actionSpec;
            this.roles = indexSpec.toRolesConfig(actionSpec);
            this.primaryAction = actionSpec.primaryAction;
            this.requiredActions = actionSpec.requiredPrivs;
            this.otherActions = actionSpec.wellKnownActions ? ImmutableSet.of(RoleBasedActionAuthorizationTests.actions.get("indices:data/write/update")) : ImmutableSet.of(RoleBasedActionAuthorizationTests.actions.get("indices:foobar/unknown"));
            this.subject = new RoleBasedActionAuthorization(this.roles, ActionGroup.FlattenedIndex.EMPTY, RoleBasedActionAuthorizationTests.actions, statefulness == Statefulness.STATEFUL ? BASIC : null, ImmutableSet.empty(), RoleBasedActionAuthorizationTests.STATEFUL_SIZE);
        }
    }

    @RunWith(Parameterized.class)
    /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorizationTests$IndexPermissions.class */
    public static class IndexPermissions {
        final ActionSpec actionSpec;
        final IndexSpec indexSpec;
        final SgDynamicConfiguration<Role> roles;
        final Action primaryAction;
        final ImmutableSet<Action> requiredActions;
        final ImmutableSet<Action> otherActions;
        final RoleBasedActionAuthorization subject;
        final User user = User.forUser("test").attribute("dept_no", "a11").build();
        static final Meta BASIC = Meta.Mock.indices(new String[]{"index_a11", "index_a12", "index_a21", "index_a22", "index_b1", "index_b2"}).alias("alias_a").of(new String[]{"index_a11", "index_a12", "index_a21", "index_a22"}).alias("alias_a1").of(new String[]{">index_a11", "index_a12"}).alias("alias_a2").of(new String[]{"index_a21", "index_a22"}).alias("alias_b").of(new String[]{"index_b1", "index_b2"});

        @Test
        public void positive_full() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"index_a11"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
        }

        @Test
        public void positive_partial() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"index_a11", "index_a12"}));
            if (this.indexSpec.wildcardPrivs || this.indexSpec.givenIndexPrivs.contains("index_*")) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
                return;
            }
            if ((this.indexSpec.givenIndexPrivs.contains("index_a1*") || this.indexSpec.givenIndexPrivs.contains("/index_(?!b.*).*/")) && !this.indexSpec.givenIndexPrivs.contains("-index_a12")) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
            } else {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("index_a11")));
            }
        }

        @Test
        public void positive_partial2() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"index_a11", "index_a12", "index_b1"}));
            if (this.indexSpec.wildcardPrivs || this.indexSpec.givenIndexPrivs.contains("index_*")) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
                return;
            }
            if ((this.indexSpec.givenIndexPrivs.contains("index_a1*") || this.indexSpec.givenIndexPrivs.contains("/index_(?!b.*).*/")) && !this.indexSpec.givenIndexPrivs.contains("-index_a12")) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("index_a11", "index_a12")));
            } else {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("index_a11")));
            }
        }

        @Test
        public void positive_alias() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"alias_a1"}), Action.Scope.INDEX_LIKE);
            if ((this.indexSpec.wildcardPrivs || this.indexSpec.givenIndexPrivs.contains("index_*") || this.indexSpec.givenIndexPrivs.contains("index_a1*") || this.indexSpec.givenIndexPrivs.contains("/index_(?!b.*).*/")) && !this.indexSpec.givenIndexPrivs.contains("-index_a12")) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK_WHEN_RESOLVED);
                if (this.actionSpec.primaryAction.name().equals("indices:data/write/index")) {
                    Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("index_a11")));
                    return;
                } else {
                    Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("index_a11", "index_a12")));
                    return;
                }
            }
            if (this.actionSpec.primaryAction.name().equals("indices:data/write/index")) {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK_WHEN_RESOLVED);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("index_a11")));
            } else {
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
                Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getAvailableIndices().equals(ImmutableSet.of("index_a11")));
            }
        }

        @Test
        public void negative_wrongRole() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "other_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"index_a11"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        }

        @Test
        public void negative_wrongAction() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), (Action) this.otherActions.any(), this.otherActions, ResolvedIndices.of(BASIC, new String[]{"index_a11"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        }

        @Test
        public void negative_wrongRole_alias() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "other_role"), this.primaryAction, this.requiredActions, ResolvedIndices.of(BASIC, new String[]{"alias_a1"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        }

        @Test
        public void negative_wrongAction_alias() throws Exception {
            PrivilegesEvaluationResult hasIndexPermission = this.subject.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(this.user, "test_role"), (Action) this.otherActions.any(), this.otherActions, ResolvedIndices.of(BASIC, new String[]{"alias_a1"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        }

        @Parameterized.Parameters(name = "{0};  actions: {1};  {2}")
        public static Collection<Object[]> params() {
            ArrayList arrayList = new ArrayList();
            for (IndexSpec indexSpec : Arrays.asList(new IndexSpec().givenIndexPrivs("*"), new IndexSpec().givenIndexPrivs("index_*"), new IndexSpec().givenIndexPrivs("index_a11"), new IndexSpec().givenIndexPrivs("index_a1*"), new IndexSpec().givenIndexPrivs("index_${user.attrs.dept_no}"), new IndexSpec().givenIndexPrivs("index_a1*", "-index_a12"), new IndexSpec().givenIndexPrivs("index_${user.attrs.dept_no}", "-index_a12"), new IndexSpec().givenIndexPrivs("/index_(?!b.*).*/"))) {
                for (ActionSpec actionSpec : Arrays.asList(new ActionSpec("constant, well known").givenPrivs("indices:data/read/search").requiredPrivs("indices:data/read/search"), new ActionSpec("pattern, well known").givenPrivs("indices:data/read/*").requiredPrivs("indices:data/read/search"), new ActionSpec("pattern, well known, two required privs").givenPrivs("indices:data/read/*").requiredPrivs("indices:data/read/search", "indices:data/read/get"), new ActionSpec("constant, well known, index action (uses write index of alias)").givenPrivs("indices:data/write/index").requiredPrivs("indices:data/write/index"), new ActionSpec("constant, non well known").givenPrivs("indices:unknown/unwell").requiredPrivs("indices:unknown/unwell"), new ActionSpec("pattern, non well known").givenPrivs("indices:unknown/*").requiredPrivs("indices:unknown/unwell"), new ActionSpec("pattern, non well known, two required privs").givenPrivs("indices:unknown/*").requiredPrivs("indices:unknown/unwell", "indices:unknown/notatall"))) {
                    for (Statefulness statefulness : Statefulness.values()) {
                        arrayList.add(new Object[]{indexSpec, actionSpec, statefulness});
                    }
                }
            }
            return arrayList;
        }

        public IndexPermissions(IndexSpec indexSpec, ActionSpec actionSpec, Statefulness statefulness) throws Exception {
            this.indexSpec = indexSpec;
            this.actionSpec = actionSpec;
            this.roles = indexSpec.toRolesConfig(actionSpec);
            this.primaryAction = actionSpec.primaryAction;
            this.requiredActions = actionSpec.requiredPrivs;
            this.otherActions = actionSpec.wellKnownActions ? ImmutableSet.of(RoleBasedActionAuthorizationTests.actions.get("indices:data/write/update")) : ImmutableSet.of(RoleBasedActionAuthorizationTests.actions.get("indices:foobar/unknown"));
            this.subject = new RoleBasedActionAuthorization(this.roles, ActionGroup.FlattenedIndex.EMPTY, RoleBasedActionAuthorizationTests.actions, statefulness == Statefulness.STATEFUL ? BASIC : null, ImmutableSet.empty(), RoleBasedActionAuthorizationTests.STATEFUL_SIZE);
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorizationTests$IndexPermissionsSpecial.class */
    public static class IndexPermissionsSpecial {
        static final Meta BASIC = Meta.Mock.indices(new String[]{"index_a11", "index_a12", "index_a21", "index_a22", "index_b1", "index_b2"}).alias("alias_a").of(new String[]{"index_a11", "index_a12", "index_a21", "index_a22"}).alias("alias_a1").of(new String[]{"index_a11", "index_a12"}).alias("alias_a2").of(new String[]{"index_a21", "index_a22"}).alias("alias_b").of(new String[]{"index_b1", "index_b2"});

        @Test
        public void indexAction_wellKnown_constantAction_indexTemplate() throws Exception {
            ImmutableSet of = ImmutableSet.of(RoleBasedActionAuthorizationTests.actions.get("indices:data/read/search"));
            ImmutableSet of2 = ImmutableSet.of(RoleBasedActionAuthorizationTests.actions.get("indices:data/read/get"));
            Assert.assertTrue(of.toString(), of.only() instanceof Action.WellKnownAction);
            RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role:\n  index_permissions:\n  - index_patterns: ['index_${user.attrs.dept_no}']\n    allowed_actions: ['indices:data/read/search']"), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, RoleBasedActionAuthorizationTests.actions, (Meta) null, ImmutableSet.empty(), RoleBasedActionAuthorizationTests.STATEFUL_SIZE);
            User build = User.forUser("test").attribute("dept_no", "a11").build();
            PrivilegesEvaluationResult hasIndexPermission = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), (Action) of.only(), of, ResolvedIndices.of(BASIC, new String[]{"index_a11"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
            PrivilegesEvaluationResult hasIndexPermission2 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), (Action) of.only(), of, ResolvedIndices.of(BASIC, new String[]{"index_a11", "index_a12"}));
            Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
            Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getAvailableIndices().equals(ImmutableSet.of("index_a11")));
            PrivilegesEvaluationResult hasIndexPermission3 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), (Action) of.only(), of, ResolvedIndices.of(BASIC, new String[]{"alias_a1"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
            Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getAvailableIndices().equals(ImmutableSet.of("index_a11")));
            PrivilegesEvaluationResult hasIndexPermission4 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "other_role"), (Action) of.only(), of, ResolvedIndices.of(BASIC, new String[]{"index_a11"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
            PrivilegesEvaluationResult hasIndexPermission5 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role"), (Action) of.only(), of2, ResolvedIndices.of(BASIC, new String[]{"index_a11"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission5.toString(), hasIndexPermission5.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
            PrivilegesEvaluationResult hasIndexPermission6 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(User.forUser("no_attributes").build(), "test_role"), (Action) of.only(), of, ResolvedIndices.of(BASIC, new String[]{"index_a11"}));
            Assert.assertTrue(hasIndexPermission6.toString(), hasIndexPermission6.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
            Assert.assertTrue(hasIndexPermission6.toString(), hasIndexPermission6.getErrors().toString().contains("No value for ${user.attrs.dept_no}"));
        }

        @Test
        public void indexAction_twoRequiredPrivileges_actionPattern_indexPattern() throws Exception {
            Action action = RoleBasedActionAuthorizationTests.actions.get("indices:data/write/index");
            Action action2 = RoleBasedActionAuthorizationTests.actions.get("indices:data/write/index/notWellKnown");
            Assert.assertTrue(action.toString(), action instanceof Action.WellKnownAction);
            RoleBasedActionAuthorization roleBasedActionAuthorization = new RoleBasedActionAuthorization((SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.parse(Format.YAML).from("test_role1:\n  index_permissions:\n  - index_patterns: ['index_a*']\n    allowed_actions: ['indices:data/write/index']\ntest_role2:\n  index_permissions:\n  - index_patterns: ['index_a1']\n    allowed_actions: ['indices:data/write/index/notWell*']\ntest_role3:\n  index_permissions:\n  - index_patterns: ['index_a2']\n    allowed_actions: ['indices:data/write/index/notWell*']\n"), CType.ROLES, (ConfigurationRepository.Context) null).get(), ActionGroup.FlattenedIndex.EMPTY, RoleBasedActionAuthorizationTests.actions, (Meta) null, ImmutableSet.empty(), RoleBasedActionAuthorizationTests.STATEFUL_SIZE);
            User build = User.forUser("test").build();
            Meta indices = Meta.Mock.indices(new String[]{"index_a1", "index_a2", "index_b"});
            PrivilegesEvaluationResult hasIndexPermission = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role1", "test_role2", "test_role3"), action, ImmutableSet.of(action, action2), ResolvedIndices.of(indices, new String[]{"index_a1", "index_a2"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission.toString(), hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.OK);
            PrivilegesEvaluationResult hasIndexPermission2 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role1", "test_role2", "test_role3"), action, ImmutableSet.of(action, action2), ResolvedIndices.of(indices, new String[]{"index_a1", "index_a2", "index_b"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
            Assert.assertTrue(hasIndexPermission2.toString(), hasIndexPermission2.getAvailableIndices().equals(ImmutableSet.of("index_a1", "index_a2")));
            PrivilegesEvaluationResult hasIndexPermission3 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role1", "test_role2"), action, ImmutableSet.of(action, action2), ResolvedIndices.of(indices, new String[]{"index_a1", "index_a2", "index_b"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK);
            Assert.assertTrue(hasIndexPermission3.toString(), hasIndexPermission3.getAvailableIndices().equals(ImmutableSet.of("index_a1")));
            PrivilegesEvaluationResult hasIndexPermission4 = roleBasedActionAuthorization.hasIndexPermission(RoleBasedActionAuthorizationTests.ctx(build, "test_role2", "test_role3"), action, ImmutableSet.of(action, action2), ResolvedIndices.of(indices, new String[]{"index_a1", "index_a2"}), Action.Scope.INDEX_LIKE);
            Assert.assertTrue(hasIndexPermission4.toString(), hasIndexPermission4.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT);
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorizationTests$IndexSpec.class */
    static class IndexSpec {
        ImmutableList<String> givenIndexPrivs = ImmutableList.empty();
        ImmutableList<String> givenAliasPrivs = ImmutableList.empty();
        ImmutableList<String> givenDataStreamPrivs = ImmutableList.empty();
        boolean wildcardPrivs;
        boolean aliasWildcardPrivs;
        boolean dataStreamWildcardPrivs;

        IndexSpec() {
        }

        IndexSpec givenIndexPrivs(String... strArr) {
            this.givenIndexPrivs = ImmutableList.ofArray(strArr);
            this.wildcardPrivs = this.givenIndexPrivs.contains("*");
            return this;
        }

        IndexSpec givenAliasPrivs(String... strArr) {
            this.givenAliasPrivs = ImmutableList.ofArray(strArr);
            this.aliasWildcardPrivs = this.givenAliasPrivs.contains("*");
            return this;
        }

        IndexSpec givenDataStreamPrivs(String... strArr) {
            this.givenDataStreamPrivs = ImmutableList.ofArray(strArr);
            this.dataStreamWildcardPrivs = this.givenDataStreamPrivs.contains("*");
            return this;
        }

        public String toString() {
            StringBuilder sb = new StringBuilder();
            if (!this.givenIndexPrivs.isEmpty()) {
                sb.append("indices: ").append((String) this.givenIndexPrivs.stream().collect(Collectors.joining(",")));
            }
            if (!this.givenAliasPrivs.isEmpty()) {
                if (sb.length() != 0) {
                    sb.append("; ");
                }
                sb.append("aliases: ").append((String) this.givenAliasPrivs.stream().collect(Collectors.joining(",")));
            }
            if (!this.givenDataStreamPrivs.isEmpty()) {
                if (sb.length() != 0) {
                    sb.append("; ");
                }
                sb.append("data_streams: ").append((String) this.givenDataStreamPrivs.stream().collect(Collectors.joining(",")));
            }
            return sb.toString();
        }

        public SgDynamicConfiguration<Role> toRolesConfig(ActionSpec actionSpec) {
            try {
                return (SgDynamicConfiguration) SgDynamicConfiguration.fromMap(DocNode.of("test_role", DocNode.of("index_permissions", DocNode.array(new Object[]{DocNode.of("index_patterns", this.givenIndexPrivs, "allowed_actions", actionSpec.givenPrivs)}), "alias_permissions", DocNode.array(new Object[]{DocNode.of("alias_patterns", this.givenAliasPrivs, "allowed_actions", actionSpec.givenPrivs)}), "data_stream_permissions", DocNode.array(new Object[]{DocNode.of("data_stream_patterns", this.givenDataStreamPrivs, "allowed_actions", actionSpec.givenPrivs)}))), CType.ROLES, (ConfigurationRepository.Context) null).get();
            } catch (ConfigValidationException e) {
                throw new RuntimeException((Throwable) e);
            }
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorizationTests$Statefulness.class */
    enum Statefulness {
        STATEFUL,
        NON_STATEFUL
    }

    private static PrivilegesEvaluationContext ctx(User user, String... strArr) {
        return new PrivilegesEvaluationContext(user, false, ImmutableSet.ofArray(strArr), (Action) null, strArr, true, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
    }
}
