package com.floragunn.searchguard.authtoken;

import com.fasterxml.jackson.databind.JsonNode;
import com.floragunn.searchguard.DefaultObjectMapper;
import com.floragunn.searchguard.authtoken.api.CreateAuthTokenRequest;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.floragunn.searchguard.test.helper.cluster.TestSgConfig;
import com.floragunn.searchguard.test.helper.rest.RestHelper;
import com.google.common.io.BaseEncoding;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Objects;
import org.apache.http.Header;
import org.apache.http.message.BasicHeader;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.client.Client;
import org.elasticsearch.client.RequestOptions;
import org.elasticsearch.client.RestHighLevelClient;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.search.builder.SearchSourceBuilder;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/authtoken/AuthTokenIntegrationTest.class */
public class AuthTokenIntegrationTest {
    private static String SGCONFIG = "_sg_meta:\n  type: \"config\"\n  config_version: 2\n\nsg_config:\n  dynamic:\n    auth_token_provider: \n      enabled: true\n      jwt_signing_key_hs512: \"eTDZjSqRD9Abhod9iqeGX_7o93a-eElTeXWAF6FmzQshmRIrPD-C9ET3pFjJ_IBrzmWIZDk8ig-X_PIyGmKsxNMsrU-0BNWF5gJq5xOp4rYTl8z66Tw9wr8tHLxLxgJqkLSuUCRBZvlZlQ7jNdhBBxgM-hdSSzsN1T33qdIwhrUeJ-KXI5yKUXHjoWFYb9tETbYQ4NvONowkCsXK_flp-E3F_OcKe_z5iVUszAV8QfCod1zhbya540kDejXCL6N_XMmhWJqum7UJ3hgf6DEtroPSnVpHt4iR5w9ArKK-IBgluPght03gNcoNqwz7p77TFbdOmUKF_PWy1bcdbaUoSg\"\n      jwt_aud: \"searchguard_tokenauth\"\n      max_validity: \"1y\"\n      max_tokens_per_user: 10\n    authc:\n      authentication_domain_basic_internal:\n        http_enabled: true\n        transport_enabled: true\n        order: 1\n        http_authenticator:\n          challenge: true\n          type: \"basic\"\n          config: {}\n        authentication_backend:\n          type: \"intern\"\n          config:\n            map_db_attrs_to_user_attrs:\n              index: test_attr_1.c\n              all: test_attr_1\n      sg_issued_jwt_auth_domain:\n        description: \"Authenticate via Json Web Tokens issued by Search Guard\"\n        http_enabled: true\n        transport_enabled: false\n        order: 0\n        http_authenticator:\n          type: sg_auth_token\n          challenge: false\n        authentication_backend:\n          type: sg_auth_token";
    static TestSgConfig sgConfig = new TestSgConfig().resources("authtoken").sgConfigSettings("", TestSgConfig.fromYaml(SGCONFIG), new Object[0]);

    @ClassRule
    public static LocalCluster cluster = new LocalCluster.Builder().nodeSettings(new Object[]{"searchguard.restapi.roles_enabled.0", "sg_admin"}).resources("authtoken").sslEnabled().sgConfig(sgConfig).build();
    private static RestHelper rh = null;

    @BeforeClass
    public static void setupDependencies() {
        rh = cluster.restHelper();
    }

    @BeforeClass
    public static void setupTestData() {
        Client internalClient = cluster.getInternalClient();
        try {
            internalClient.index(new IndexRequest("pub_test_deny").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "not_allowed_from_token"})).actionGet();
            internalClient.index(new IndexRequest("pub_test_allow_because_from_token").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "allowed"})).actionGet();
            internalClient.index(new IndexRequest("user_attr_foo").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "allowed"})).actionGet();
            internalClient.index(new IndexRequest("user_attr_qux").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "not_allowed"})).actionGet();
            if (internalClient != null) {
                internalClient.close();
            }
        } catch (Throwable th) {
            if (internalClient != null) {
                try {
                    internalClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void basicTest() throws Exception {
        CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
        createAuthTokenRequest.setTokenName("my_new_token");
        Header basicAuth = basicAuth("spock", "spock");
        System.out.println(createAuthTokenRequest.toJson());
        RestHelper.HttpResponse executePostRequest = rh.executePostRequest("/_searchguard/authtoken", createAuthTokenRequest.toJson(), new Header[]{basicAuth});
        System.out.println(executePostRequest.getBody());
        Assert.assertEquals(200L, executePostRequest.getStatusCode());
        String asText = executePostRequest.toJsonNode().get("token").asText();
        Assert.assertNotNull(asText);
        Assert.assertEquals("HS512", getJwtHeaderValue(asText, "alg"));
        Assert.assertTrue(getJwtPayload(asText), getJwtPayload(asText).contains("spock"));
        RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient("spock", "spock");
        try {
            SearchResponse search = restHighLevelClient.search(new SearchRequest(new String[]{"pub_test_allow_because_from_token"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
            Assert.assertEquals(1L, search.getHits().getTotalHits().value);
            Assert.assertEquals("allowed", search.getHits().getAt(0).getSourceAsMap().get("this_is"));
            SearchResponse search2 = restHighLevelClient.search(new SearchRequest(new String[]{"pub_test_deny"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
            Assert.assertEquals(1L, search2.getHits().getTotalHits().value);
            Assert.assertEquals("not_allowed_from_token", search2.getHits().getAt(0).getSourceAsMap().get("this_is"));
            if (restHighLevelClient != null) {
                restHighLevelClient.close();
            }
            for (int i = 0; i < 3; i++) {
                RestHighLevelClient restHighLevelClientForNode = cluster.getRestHighLevelClientForNode(i, new Header[]{new BasicHeader("Authorization", "Bearer " + asText)});
                try {
                    SearchResponse search3 = restHighLevelClientForNode.search(new SearchRequest(new String[]{"pub_test_allow_because_from_token"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
                    Assert.assertEquals(1L, search3.getHits().getTotalHits().value);
                    Assert.assertEquals("allowed", search3.getHits().getAt(0).getSourceAsMap().get("this_is"));
                    try {
                        Assert.fail(restHighLevelClientForNode.search(new SearchRequest(new String[]{"pub_test_deny"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT).toString());
                    } catch (Exception e) {
                        Assert.assertTrue(e.getMessage(), e.getMessage().contains("no permissions for [indices:data/read/search]"));
                    }
                    if (restHighLevelClientForNode != null) {
                        restHighLevelClientForNode.close();
                    }
                } catch (Throwable th) {
                    if (restHighLevelClientForNode != null) {
                        try {
                            restHighLevelClientForNode.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }
        } catch (Throwable th3) {
            if (restHighLevelClient != null) {
                try {
                    restHighLevelClient.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    @Test
    public void maxTokenCountTest() throws Exception {
        CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
        createAuthTokenRequest.setTokenName("my_new_token");
        Header basicAuth = basicAuth("nagilum", "nagilum");
        for (int i = 0; i < 10; i++) {
            Assert.assertEquals(200L, rh.executePostRequest("/_searchguard/authtoken", createAuthTokenRequest.toJson(), new Header[]{basicAuth}).getStatusCode());
        }
        RestHelper.HttpResponse executePostRequest = rh.executePostRequest("/_searchguard/authtoken", createAuthTokenRequest.toJson(), new Header[]{basicAuth});
        System.out.println(executePostRequest.getBody());
        Assert.assertEquals(403L, executePostRequest.getStatusCode());
        Assert.assertEquals("Cannot create token. Token limit per user exceeded. Max number of allowed tokens is 10", executePostRequest.toJsonNode().at("/error/root_cause/0/reason").textValue());
    }

    @Test
    public void createTokenWithTokenForbidden() throws Exception {
        CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("cluster_permissions: '*'\nindex_permissions:\n- index_patterns: '*'\n  allowed_actions: '*'"));
        createAuthTokenRequest.setTokenName("my_new_token_with_with_i_am_trying_to_create_another_token");
        RestHelper.HttpResponse executePostRequest = rh.executePostRequest("/_searchguard/authtoken", createAuthTokenRequest.toJson(), new Header[]{basicAuth("spock", "spock")});
        System.out.println(executePostRequest.getBody());
        Assert.assertEquals(200L, executePostRequest.getStatusCode());
        String asText = executePostRequest.toJsonNode().get("token").asText();
        Assert.assertNotNull(asText);
        BasicHeader basicHeader = new BasicHeader("Authorization", "Bearer " + asText);
        CreateAuthTokenRequest createAuthTokenRequest2 = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("cluster_permissions: '*'\nindex_permissions:\n- index_patterns: '*'\n  allowed_actions: '*'"));
        createAuthTokenRequest2.setTokenName("this_token_should_not_be_created");
        RestHelper.HttpResponse executePostRequest2 = rh.executePostRequest("/_searchguard/authtoken", createAuthTokenRequest2.toJson(), new Header[]{basicHeader});
        Assert.assertEquals(403L, executePostRequest2.getStatusCode());
        Assert.assertTrue(executePostRequest2.getBody(), executePostRequest2.getBody().contains("no permissions for [cluster:admin:searchguard:authtoken/_own/create]"));
    }

    @Test
    public void userAttrTest() throws Exception {
        CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: 'user_attr_*'\n  allowed_actions: '*'"));
        createAuthTokenRequest.setTokenName("my_new_token");
        Header basicAuth = basicAuth("picard", "picard");
        System.out.println(createAuthTokenRequest.toJson());
        RestHelper.HttpResponse executePostRequest = rh.executePostRequest("/_searchguard/authtoken", createAuthTokenRequest.toJson(), new Header[]{basicAuth});
        System.out.println(executePostRequest.getBody());
        Assert.assertEquals(200L, executePostRequest.getStatusCode());
        String asText = executePostRequest.toJsonNode().get("token").asText();
        Assert.assertNotNull(asText);
        RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient("picard", "picard");
        try {
            SearchResponse search = restHighLevelClient.search(new SearchRequest(new String[]{"user_attr_foo"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
            Assert.assertEquals(1L, search.getHits().getTotalHits().value);
            Assert.assertEquals("allowed", search.getHits().getAt(0).getSourceAsMap().get("this_is"));
            try {
                restHighLevelClient.search(new SearchRequest(new String[]{"user_attr_qux"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
            } catch (Exception e) {
                Assert.assertTrue(e.getMessage(), e.getMessage().contains("no permissions for [indices:data/read/search]"));
            }
            if (restHighLevelClient != null) {
                restHighLevelClient.close();
            }
            RestHighLevelClient restHighLevelClient2 = cluster.getRestHighLevelClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asText)});
            try {
                SearchResponse search2 = restHighLevelClient2.search(new SearchRequest(new String[]{"user_attr_foo"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
                Assert.assertEquals(1L, search2.getHits().getTotalHits().value);
                Assert.assertEquals("allowed", search2.getHits().getAt(0).getSourceAsMap().get("this_is"));
                try {
                    restHighLevelClient2.search(new SearchRequest(new String[]{"user_attr_qux"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
                } catch (Exception e2) {
                    Assert.assertTrue(e2.getMessage(), e2.getMessage().contains("no permissions for [indices:data/read/search]"));
                }
                if (restHighLevelClient2 != null) {
                    restHighLevelClient2.close();
                }
            } catch (Throwable th) {
                if (restHighLevelClient2 != null) {
                    try {
                        restHighLevelClient2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (Throwable th3) {
            if (restHighLevelClient != null) {
                try {
                    restHighLevelClient.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    @Test
    public void revocationTest() throws Exception {
        RestHighLevelClient restHighLevelClientForNode;
        CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
        createAuthTokenRequest.setTokenName("my_new_token");
        Header basicAuth = basicAuth("spock", "spock");
        RestHelper.HttpResponse executePostRequest = rh.executePostRequest("/_searchguard/authtoken", createAuthTokenRequest.toJson(), new Header[]{basicAuth});
        Assert.assertEquals(200L, executePostRequest.getStatusCode());
        String asText = executePostRequest.toJsonNode().get("token").asText();
        String asText2 = executePostRequest.toJsonNode().get("id").asText();
        Assert.assertNotNull(asText);
        Assert.assertNotNull(asText2);
        for (int i = 0; i < 3; i++) {
            restHighLevelClientForNode = cluster.getRestHighLevelClientForNode(i, new Header[]{new BasicHeader("Authorization", "Bearer " + asText)});
            try {
                SearchResponse search = restHighLevelClientForNode.search(new SearchRequest(new String[]{"pub_test_allow_because_from_token"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
                Assert.assertEquals(1L, search.getHits().getTotalHits().value);
                Assert.assertEquals("allowed", search.getHits().getAt(0).getSourceAsMap().get("this_is"));
                try {
                    Assert.fail(restHighLevelClientForNode.search(new SearchRequest(new String[]{"pub_test_deny"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT).toString());
                } catch (Exception e) {
                    Assert.assertTrue(e.getMessage(), e.getMessage().contains("no permissions for [indices:data/read/search]"));
                }
                if (restHighLevelClientForNode != null) {
                    restHighLevelClientForNode.close();
                }
            } finally {
            }
        }
        Assert.assertEquals(rh.executeDeleteRequest("/_searchguard/authtoken/" + asText2, new Header[]{basicAuth}).getBody(), 200L, r0.getStatusCode());
        Thread.sleep(100L);
        for (int i2 = 0; i2 < 3; i2++) {
            restHighLevelClientForNode = cluster.getRestHighLevelClientForNode(i2, new Header[]{new BasicHeader("Authorization", "Bearer " + asText)});
            try {
                try {
                    Assert.fail(restHighLevelClientForNode.search(new SearchRequest(new String[]{"pub_test_allow_because_from_token"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT).toString());
                } catch (Exception e2) {
                    Assert.assertTrue(e2.getMessage(), e2.getMessage().contains("no permissions for [indices:data/read/search]"));
                }
                if (restHighLevelClientForNode != null) {
                    restHighLevelClientForNode.close();
                }
            } finally {
            }
        }
    }

    @Test
    public void getAndSearchTest() throws Exception {
        CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
        createAuthTokenRequest.setTokenName("get_and_search_test_token");
        Header basicAuth = basicAuth("spock", "spock");
        Assert.assertEquals(200L, rh.executePostRequest("/_searchguard/authtoken", createAuthTokenRequest.toJson(), new Header[]{basicAuth}).getStatusCode());
        createAuthTokenRequest.setTokenName("get_and_search_test_token_2");
        Assert.assertEquals(200L, rh.executePostRequest("/_searchguard/authtoken", createAuthTokenRequest.toJson(), new Header[]{basicAuth}).getStatusCode());
        createAuthTokenRequest.setTokenName("get_and_search_test_token_picard");
        RestHelper.HttpResponse executePostRequest = rh.executePostRequest("/_searchguard/authtoken", createAuthTokenRequest.toJson(), new Header[]{basicAuth("picard", "picard")});
        Assert.assertEquals(200L, executePostRequest.getStatusCode());
        String textValue = executePostRequest.toJsonNode().get("id").textValue();
        RestHelper.HttpResponse executeGetRequest = rh.executeGetRequest("/_searchguard/authtoken/_search", new Header[]{basicAuth});
        Assert.assertEquals(200L, executeGetRequest.getStatusCode());
        Assert.assertFalse(executeGetRequest.getBody(), executeGetRequest.getBody().contains("\"picard\""));
        RestHelper.HttpResponse executePostRequest2 = rh.executePostRequest("/_searchguard/authtoken/_search", "{\n    \"query\": {\n        \"wildcard\": {\n            \"token_name\": {\n                \"value\": \"get_and_search_test_*\"\n            }\n        }\n    }\n}", new Header[]{basicAuth});
        System.out.println(executePostRequest2.getBody());
        Assert.assertEquals(executePostRequest2.getBody(), 200L, executePostRequest2.getStatusCode());
        JsonNode jsonNode = executePostRequest2.toJsonNode();
        Assert.assertEquals(executePostRequest2.getBody(), 2L, jsonNode.at("/hits/total/value").intValue());
        Assert.assertEquals(executePostRequest2.getBody(), "spock", jsonNode.at("/hits/hits/0/_source/user_name").textValue());
        Assert.assertEquals(executePostRequest2.getBody(), "spock", jsonNode.at("/hits/hits/1/_source/user_name").textValue());
        String textValue2 = jsonNode.at("/hits/hits/0/_id").textValue();
        String textValue3 = jsonNode.at("/hits/hits/0/_source/token_name").textValue();
        RestHelper.HttpResponse executeGetRequest2 = rh.executeGetRequest("/_searchguard/authtoken/" + textValue2, new Header[]{basicAuth});
        Assert.assertEquals(executeGetRequest2.getBody(), textValue3, executeGetRequest2.toJsonNode().get("token_name").textValue());
        Assert.assertEquals(404L, rh.executeGetRequest("/_searchguard/authtoken/" + textValue, new Header[]{basicAuth}).getStatusCode());
        RestHelper.HttpResponse executePostRequest3 = rh.executePostRequest("/_searchguard/authtoken/_search", "{\n    \"query\": {\n        \"wildcard\": {\n            \"token_name\": {\n                \"value\": \"get_and_search_test_*\"\n            }\n        }\n    }\n}", new Header[]{basicAuth("admin", "admin")});
        Assert.assertEquals(executePostRequest3.getBody(), 3L, executePostRequest3.toJsonNode().at("/hits/total/value").intValue());
        Assert.assertTrue(executePostRequest3.getBody(), executePostRequest3.getBody().contains("\"spock\""));
        Assert.assertTrue(executePostRequest3.getBody(), executePostRequest3.getBody().contains("\"picard\""));
    }

    @Test
    public void encryptedAuthTokenTest() throws Exception {
        LocalCluster build = new LocalCluster.Builder().resources("authtoken").sslEnabled().singleNode().sgConfig(new TestSgConfig().resources("authtoken").sgConfigSettings("", TestSgConfig.fromYaml("_sg_meta:\n  type: \"config\"\n  config_version: 2\n\nsg_config:\n  dynamic:\n    auth_token_provider: \n      enabled: true\n      jwt_signing_key_hs512: \"0c8YGg-YdAuOqIZFMoWm0INDnZhmZmTy3ovdZ3PDeJwAQ1qEYn_sivE0960sIKl8sRQnIti7-JEUeVfeJxgpBg==\"\n      jwt_encryption_key_a256kw: \"Z74PlpmePaZg2Ubm3ipD9QE4uX45GWAPwjMHCKpb6Xk=\"\n      jwt_aud: \"searchguard_tokenauth\"\n      max_validity: \"1y\"\n    authc:\n      authentication_domain_basic_internal:\n        http_enabled: true\n        transport_enabled: true\n        order: 1\n        http_authenticator:\n          challenge: true\n          type: \"basic\"\n          config: {}\n        authentication_backend:\n          type: \"intern\"\n          config:\n            map_db_attrs_to_user_attrs:\n              index: test_attr_1.c\n              all: test_attr_1\n      sg_issued_jwt_auth_domain:\n        description: \"Authenticate via Json Web Tokens issued by Search Guard\"\n        http_enabled: true\n        transport_enabled: false\n        order: 0\n        http_authenticator:\n          type: sg_auth_token\n          challenge: false\n        authentication_backend:\n          type: sg_auth_token"), new Object[0])).build();
        try {
            RestHelper restHelper = build.restHelper();
            Client internalClient = build.getInternalClient();
            try {
                internalClient.index(new IndexRequest("pub_test_deny").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "not_allowed_from_token"})).actionGet();
                internalClient.index(new IndexRequest("pub_test_allow_because_from_token").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "allowed"})).actionGet();
                if (internalClient != null) {
                    internalClient.close();
                }
                CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
                createAuthTokenRequest.setTokenName("my_new_token");
                Header basicAuth = basicAuth("spock", "spock");
                System.out.println(createAuthTokenRequest.toJson());
                RestHelper.HttpResponse executePostRequest = restHelper.executePostRequest("/_searchguard/authtoken", createAuthTokenRequest.toJson(), new Header[]{basicAuth});
                System.out.println(executePostRequest.getBody());
                Assert.assertEquals(200L, executePostRequest.getStatusCode());
                String asText = executePostRequest.toJsonNode().get("token").asText();
                Assert.assertNotNull(asText);
                Assert.assertEquals("A256KW", getJwtHeaderValue(asText, "alg"));
                Assert.assertEquals("A256CBC-HS512", getJwtHeaderValue(asText, "enc"));
                Assert.assertFalse("JWT payload seems to be unencrypted because it contains the user name in clear text: " + getJwtPayload(asText), getJwtPayload(asText).contains("spock"));
                RestHighLevelClient restHighLevelClient = build.getRestHighLevelClient("spock", "spock");
                try {
                    SearchResponse search = restHighLevelClient.search(new SearchRequest(new String[]{"pub_test_allow_because_from_token"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
                    Assert.assertEquals(1L, search.getHits().getTotalHits().value);
                    Assert.assertEquals("allowed", search.getHits().getAt(0).getSourceAsMap().get("this_is"));
                    SearchResponse search2 = restHighLevelClient.search(new SearchRequest(new String[]{"pub_test_deny"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
                    Assert.assertEquals(1L, search2.getHits().getTotalHits().value);
                    Assert.assertEquals("not_allowed_from_token", search2.getHits().getAt(0).getSourceAsMap().get("this_is"));
                    if (restHighLevelClient != null) {
                        restHighLevelClient.close();
                    }
                    RestHighLevelClient restHighLevelClient2 = build.getRestHighLevelClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asText)});
                    try {
                        SearchResponse search3 = restHighLevelClient2.search(new SearchRequest(new String[]{"pub_test_allow_because_from_token"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
                        Assert.assertEquals(1L, search3.getHits().getTotalHits().value);
                        Assert.assertEquals("allowed", search3.getHits().getAt(0).getSourceAsMap().get("this_is"));
                        try {
                            Assert.fail(restHighLevelClient2.search(new SearchRequest(new String[]{"pub_test_deny"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT).toString());
                        } catch (Exception e) {
                            Assert.assertTrue(e.getMessage(), e.getMessage().contains("no permissions for [indices:data/read/search]"));
                        }
                        if (restHighLevelClient2 != null) {
                            restHighLevelClient2.close();
                        }
                        if (build != null) {
                            build.close();
                        }
                    } finally {
                    }
                } finally {
                }
            } finally {
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void ecSignedAuthTokenTest() throws Exception {
        LocalCluster build = new LocalCluster.Builder().resources("authtoken").sslEnabled().singleNode().sgConfig(new TestSgConfig().resources("authtoken").sgConfigSettings("", TestSgConfig.fromYaml("_sg_meta:\n  type: \"config\"\n  config_version: 2\n\nsg_config:\n  dynamic:\n    auth_token_provider: \n      enabled: true\n      jwt_signing_key: \n        kty: EC\n        d: \"1nlQeqOq48OPWiDkmOIXLF_XBWUe9LSznBvWzPI4Ggo\"\n        use: sig\n        crv: P-256\n        x: \"lBybOJZyK6r8Nx54Jn4cKoDUZgyOdLlsQ2EHk-7LStk\"\n        y: \"BwSiCmlnS1CDetg_iuxBZKkh6VTMrra0aIT9dBeoCZU\"\n        alg: ES256\n      jwt_aud: \"searchguard_tokenauth\"\n      max_validity: \"1y\"\n    authc:\n      authentication_domain_basic_internal:\n        http_enabled: true\n        transport_enabled: true\n        order: 1\n        http_authenticator:\n          challenge: true\n          type: \"basic\"\n          config: {}\n        authentication_backend:\n          type: \"intern\"\n          config:\n            map_db_attrs_to_user_attrs:\n              index: test_attr_1.c\n              all: test_attr_1\n      sg_issued_jwt_auth_domain:\n        description: \"Authenticate via Json Web Tokens issued by Search Guard\"\n        http_enabled: true\n        transport_enabled: false\n        order: 0\n        http_authenticator:\n          type: sg_auth_token\n          challenge: false\n        authentication_backend:\n          type: sg_auth_token"), new Object[0])).build();
        try {
            RestHelper restHelper = build.restHelper();
            Client internalClient = build.getInternalClient();
            try {
                internalClient.index(new IndexRequest("pub_test_deny").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "not_allowed_from_token"})).actionGet();
                internalClient.index(new IndexRequest("pub_test_allow_because_from_token").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"this_is", "allowed"})).actionGet();
                if (internalClient != null) {
                    internalClient.close();
                }
                CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
                createAuthTokenRequest.setTokenName("my_new_token");
                Header basicAuth = basicAuth("spock", "spock");
                System.out.println(createAuthTokenRequest.toJson());
                RestHelper.HttpResponse executePostRequest = restHelper.executePostRequest("/_searchguard/authtoken", createAuthTokenRequest.toJson(), new Header[]{basicAuth});
                System.out.println(executePostRequest.getBody());
                Assert.assertEquals(200L, executePostRequest.getStatusCode());
                String asText = executePostRequest.toJsonNode().get("token").asText();
                Assert.assertNotNull(asText);
                Assert.assertEquals("ES256", getJwtHeaderValue(asText, "alg"));
                Assert.assertTrue(getJwtPayload(asText), getJwtPayload(asText).contains("spock"));
                RestHighLevelClient restHighLevelClient = build.getRestHighLevelClient("spock", "spock");
                try {
                    SearchResponse search = restHighLevelClient.search(new SearchRequest(new String[]{"pub_test_allow_because_from_token"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
                    Assert.assertEquals(1L, search.getHits().getTotalHits().value);
                    Assert.assertEquals("allowed", search.getHits().getAt(0).getSourceAsMap().get("this_is"));
                    SearchResponse search2 = restHighLevelClient.search(new SearchRequest(new String[]{"pub_test_deny"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
                    Assert.assertEquals(1L, search2.getHits().getTotalHits().value);
                    Assert.assertEquals("not_allowed_from_token", search2.getHits().getAt(0).getSourceAsMap().get("this_is"));
                    if (restHighLevelClient != null) {
                        restHighLevelClient.close();
                    }
                    RestHighLevelClient restHighLevelClient2 = build.getRestHighLevelClient(new Header[]{new BasicHeader("Authorization", "Bearer " + asText)});
                    try {
                        SearchResponse search3 = restHighLevelClient2.search(new SearchRequest(new String[]{"pub_test_allow_because_from_token"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT);
                        Assert.assertEquals(1L, search3.getHits().getTotalHits().value);
                        Assert.assertEquals("allowed", search3.getHits().getAt(0).getSourceAsMap().get("this_is"));
                        try {
                            Assert.fail(restHighLevelClient2.search(new SearchRequest(new String[]{"pub_test_deny"}).source(SearchSourceBuilder.searchSource().query(QueryBuilders.matchAllQuery())), RequestOptions.DEFAULT).toString());
                        } catch (Exception e) {
                            Assert.assertTrue(e.getMessage(), e.getMessage().contains("no permissions for [indices:data/read/search]"));
                        }
                        if (restHighLevelClient2 != null) {
                            restHighLevelClient2.close();
                        }
                        if (build != null) {
                            build.close();
                        }
                    } finally {
                    }
                } finally {
                }
            } finally {
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void sgAdminRestApiTest() throws Exception {
        CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("cluster_permissions: ['*']"));
        createAuthTokenRequest.setTokenName("rest_api_test_token");
        RestHelper.HttpResponse executePostRequest = rh.executePostRequest("/_searchguard/authtoken", createAuthTokenRequest.toJson(), new Header[]{basicAuth("admin", "admin")});
        Assert.assertEquals(200L, executePostRequest.getStatusCode());
        String asText = executePostRequest.toJsonNode().get("token").asText();
        Assert.assertNotNull(asText);
        BasicHeader basicHeader = new BasicHeader("Authorization", "Bearer " + asText);
        Assert.assertEquals(200L, rh.executeGetRequest("_searchguard/api/roles", new Header[]{r0}).getStatusCode());
        Assert.assertEquals(200L, rh.executeGetRequest("_searchguard/api/roles", new Header[]{basicHeader}).getStatusCode());
    }

    @Test
    public void sgAdminRestApiForbiddenTest() throws Exception {
        CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("index_permissions:\n- index_patterns: '*_from_token'\n  allowed_actions: '*'"));
        createAuthTokenRequest.setTokenName("rest_api_test_token");
        RestHelper.HttpResponse executePostRequest = rh.executePostRequest("/_searchguard/authtoken", createAuthTokenRequest.toJson(), new Header[]{basicAuth("admin", "admin")});
        Assert.assertEquals(200L, executePostRequest.getStatusCode());
        String asText = executePostRequest.toJsonNode().get("token").asText();
        Assert.assertNotNull(asText);
        BasicHeader basicHeader = new BasicHeader("Authorization", "Bearer " + asText);
        Assert.assertEquals(200L, rh.executeGetRequest("_searchguard/api/roles", new Header[]{r0}).getStatusCode());
        Assert.assertEquals(403L, rh.executeGetRequest("_searchguard/api/roles", new Header[]{basicHeader}).getStatusCode());
    }

    @Test
    public void sgAdminRestApiExclusionTest() throws Exception {
        CreateAuthTokenRequest createAuthTokenRequest = new CreateAuthTokenRequest(RequestedPrivileges.parseYaml("cluster_permissions: ['*']\nexclude_cluster_permissions: ['cluster:admin:searchguard:configrestapi']"));
        createAuthTokenRequest.setTokenName("rest_api_test_token");
        RestHelper.HttpResponse executePostRequest = rh.executePostRequest("/_searchguard/authtoken", createAuthTokenRequest.toJson(), new Header[]{basicAuth("admin", "admin")});
        Assert.assertEquals(200L, executePostRequest.getStatusCode());
        String asText = executePostRequest.toJsonNode().get("token").asText();
        Assert.assertNotNull(asText);
        BasicHeader basicHeader = new BasicHeader("Authorization", "Bearer " + asText);
        Assert.assertEquals(200L, rh.executeGetRequest("_searchguard/api/roles", new Header[]{r0}).getStatusCode());
        Assert.assertEquals(403L, rh.executeGetRequest("_searchguard/api/roles", new Header[]{basicHeader}).getStatusCode());
    }

    private static String getJwtHeaderValue(String str, String str2) throws IOException {
        return DefaultObjectMapper.readTree(new String(BaseEncoding.base64Url().decode(str.substring(0, str.indexOf(46))))).get(str2).textValue();
    }

    private static String getJwtPayload(String str) {
        int indexOf = str.indexOf(46);
        int indexOf2 = str.indexOf(46, indexOf + 1);
        return new String(BaseEncoding.base64Url().decode(str.substring(indexOf + 1, indexOf2 != -1 ? indexOf2 : str.length())));
    }

    private static Header basicAuth(String str, String str2) {
        return new BasicHeader("Authorization", "Basic " + Base64.getEncoder().encodeToString((str + ":" + ((String) Objects.requireNonNull(str2))).getBytes(StandardCharsets.UTF_8)));
    }
}
