package com.floragunn.searchguard;

import com.floragunn.searchguard.configuration.CType;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.google.common.collect.ImmutableMap;
import java.net.InetAddress;
import java.util.Arrays;
import org.apache.http.Header;
import org.apache.http.message.BasicHeader;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Ignore;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/BackendRegistryTests.class */
public class BackendRegistryTests {
    static TestSgConfig.User TEST_USER = new TestSgConfig.User("test_user").roles("SGS_ALL_ACCESS");
    static TestSgConfig.User BLOCK_TEST_USER = new TestSgConfig.User("block_test_user").roles("SGS_ALL_ACCESS");
    static TestSgConfig.User BLOCK_WILDCARD_TEST_USER = new TestSgConfig.User("block_wildcard_test_user").roles("SGS_ALL_ACCESS");
    static TestSgConfig.Authc AUTHC = new TestSgConfig.Authc(new TestSgConfig.Authc.Domain("basic/noop").acceptIps("127.0.0.4/30"), new TestSgConfig.Authc.Domain("basic/internal_users_db")).trustedProxies("127.0.0.44");

    @ClassRule
    public static LocalCluster.Embedded cluster = new LocalCluster.Builder().singleNode().sslEnabled().authc(AUTHC).users(TEST_USER, BLOCK_TEST_USER, BLOCK_WILDCARD_TEST_USER).embedded().build();

    @Test
    public void when_user_is_blocked_then_authentication_should_fail() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(BLOCK_TEST_USER, new Header[0]);
        try {
            Assert.assertEquals(200L, restClient.get("_searchguard/authinfo?pretty", new Header[0]).getStatusCode());
            cluster.updateSgConfig(CType.BLOCKS, "block_" + BLOCK_TEST_USER.getName(), ImmutableMap.of("type", "name", "value", Arrays.asList(BLOCK_TEST_USER.getName()), "verdict", "disallow"));
            Assert.assertEquals(401L, restClient.get("_searchguard/authinfo?pretty", new Header[0]).getStatusCode());
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void when_user_is_blocked_then_authentication_should_fail_wildcard() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(BLOCK_WILDCARD_TEST_USER, new Header[0]);
        try {
            Assert.assertEquals(200L, restClient.get("_searchguard/authinfo?pretty", new Header[0]).getStatusCode());
            cluster.updateSgConfig(CType.BLOCKS, "block_" + BLOCK_WILDCARD_TEST_USER.getName(), ImmutableMap.of("type", "name", "value", Arrays.asList("block_wildcard_*"), "verdict", "disallow"));
            Assert.assertEquals(401L, restClient.get("_searchguard/authinfo?pretty", new Header[0]).getStatusCode());
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void when_ip_is_blocked_then_authentication_should_fail() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(TEST_USER, new Header[0]);
        try {
            restClient.setLocalAddress(InetAddress.getByAddress(new byte[]{Byte.MAX_VALUE, 0, 0, 99}));
            Assert.assertEquals(200L, restClient.get("_searchguard/authinfo?pretty", new Header[0]).getStatusCode());
            cluster.updateSgConfig(CType.BLOCKS, "block_ip", ImmutableMap.of("type", "ip", "value", Arrays.asList("127.0.0.99"), "verdict", "disallow"));
            Assert.assertEquals(401L, restClient.get("_searchguard/authinfo?pretty", new Header[0]).getStatusCode());
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void when_ip_is_blocked_from_net_then_authentication_should_fail() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(TEST_USER, new Header[0]);
        try {
            restClient.setLocalAddress(InetAddress.getByAddress(new byte[]{Byte.MAX_VALUE, 0, 0, 90}));
            Assert.assertEquals(200L, restClient.get("_searchguard/authinfo?pretty", new Header[0]).getStatusCode());
            cluster.updateSgConfig(CType.BLOCKS, "block_ip", ImmutableMap.of("type", "net_mask", "value", Arrays.asList("127.0.0.88/29"), "verdict", "disallow"));
            Assert.assertEquals(401L, restClient.get("_searchguard/authinfo?pretty", new Header[0]).getStatusCode());
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void when_xff_ip_is_blocked_from_net_then_authentication_should_fail() throws Exception {
        GenericRestClient restClient = cluster.getRestClient(TEST_USER, new BasicHeader("X-Forwarded-For", "10.11.12.13"));
        try {
            restClient.setLocalAddress(InetAddress.getByAddress(new byte[]{Byte.MAX_VALUE, 0, 0, 44}));
            Assert.assertEquals(200L, restClient.get("_searchguard/authinfo?pretty", new Header[0]).getStatusCode());
            cluster.updateSgConfig(CType.BLOCKS, "block_ip", ImmutableMap.of("type", "net_mask", "value", Arrays.asList("10.11.12.8/29"), "verdict", "disallow"));
            Assert.assertEquals(401L, restClient.get("_searchguard/authinfo?pretty", new Header[0]).getStatusCode());
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    @Ignore("TODO replacement")
    public void testFailureRateLimitingXff() throws Exception {
        LocalCluster start = new LocalCluster.Builder().singleNode().sslEnabled().start();
        try {
            BasicHeader basicHeader = new BasicHeader("X-Forwarded-For", "10.14.15.16");
            GenericRestClient restClient = start.getRestClient(TEST_USER, basicHeader);
            try {
                GenericRestClient restClient2 = start.getRestClient("any_name", "any_password", basicHeader);
                try {
                    Assert.assertEquals(restClient.get("_searchguard/authinfo?pretty", new Header[0]).toString(), 200L, r0.getStatusCode());
                    Assert.assertEquals(restClient2.get("_searchguard/authinfo?pretty", new Header[0]).toString(), 401L, r0.getStatusCode());
                    Assert.assertEquals(restClient.get("_searchguard/authinfo?pretty", new Header[0]).toString(), 200L, r0.getStatusCode());
                    for (int i = 0; i < 3; i++) {
                        Assert.assertEquals(restClient2.get("_searchguard/authinfo?pretty", new Header[0]).toString(), 401L, r0.getStatusCode());
                    }
                    Assert.assertEquals(restClient.get("_searchguard/authinfo?pretty", new Header[0]).toString(), 401L, r0.getStatusCode());
                    if (restClient2 != null) {
                        restClient2.close();
                    }
                    if (restClient != null) {
                        restClient.close();
                    }
                    if (start != null) {
                        start.close();
                    }
                } catch (Throwable th) {
                    if (restClient2 != null) {
                        try {
                            restClient2.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Throwable th3) {
            if (start != null) {
                try {
                    start.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }
}
