package com.floragunn.searchguard;

import com.floragunn.searchguard.test.RestMatchers;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.floragunn.searchguard.test.helper.cluster.TestSgConfig;
import com.floragunn.searchguard.test.helper.rest.RestHelper;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Objects;
import org.apache.http.Header;
import org.apache.http.message.BasicHeader;
import org.elasticsearch.ElasticsearchStatusException;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.client.Client;
import org.elasticsearch.client.RequestOptions;
import org.elasticsearch.client.RestHighLevelClient;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.rest.RestStatus;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/PrivilegesEvaluatorTest.class */
public class PrivilegesEvaluatorTest {

    @ClassRule
    public static LocalCluster anotherCluster = new LocalCluster.Builder().singleNode().sslEnabled().setInSgConfig("sg_config.dynamic.do_not_fail_on_forbidden", "true", new Object[0]).user("resolve_test_user", "secret", new TestSgConfig.Role("resolve_test_user_role").indexPermissions("*").on("resolve_test_allow_*")).build();

    @ClassRule
    public static LocalCluster cluster = new LocalCluster.Builder().singleNode().sslEnabled().remote("my_remote", anotherCluster).setInSgConfig("sg_config.dynamic.do_not_fail_on_forbidden", "true", new Object[0]).user("resolve_test_user", "secret", new TestSgConfig.Role("resolve_test_user_role").indexPermissions("*").on("resolve_test_allow_*").indexPermissions("*").on("/alias_resolve_test_index_allow_.*/")).user("exclusion_test_user_basic", "secret", new TestSgConfig.Role("exclusion_test_user_role").clusterPermissions("*").indexPermissions("*").on("exclude_test_*").excludeIndexPermissions("*").on("exclude_test_disallow_*")).user("exclusion_test_user_basic_no_pattern", "secret", new TestSgConfig.Role("exclusion_test_user_basic_no_pattern_role").clusterPermissions("*").indexPermissions("*").on("exclude_test_*").excludeIndexPermissions("*").on("exclude_test_disallow_2")).user("exclusion_test_user_write", "secret", new TestSgConfig.Role("exclusion_test_user_action_exclusion_role").clusterPermissions("SGS_CLUSTER_COMPOSITE_OPS").indexPermissions("*").on("write_exclude_test_*").excludeIndexPermissions("SGS_WRITE").on("write_exclude_test_disallow_*")).user("exclusion_test_user_write_no_pattern", "secret", new TestSgConfig.Role("exclusion_test_user_write_no_pattern_role").clusterPermissions("SGS_CLUSTER_COMPOSITE_OPS").indexPermissions("*").on("write_exclude_test_*").excludeIndexPermissions("SGS_WRITE").on("write_exclude_test_disallow_2")).user("exclusion_test_user_cluster_permission", "secret", new TestSgConfig.Role("exclusion_test_user_cluster_permission_role").clusterPermissions("*").excludeClusterPermissions("indices:data/read/msearch").indexPermissions("*").on("exclude_test_*").excludeIndexPermissions("*").on("exclude_test_disallow_*")).build();

    @ClassRule
    public static LocalCluster clusterFof = new LocalCluster.Builder().singleNode().sslEnabled().remote("my_remote", anotherCluster).setInSgConfig("sg_config.dynamic.do_not_fail_on_forbidden", "false", new Object[0]).user("exclusion_test_user_basic", "secret", new TestSgConfig.Role("exclusion_test_user_role").clusterPermissions("*").indexPermissions("*").on("exclude_test_*").excludeIndexPermissions("*").on("exclude_test_disallow_*")).user("exclusion_test_user_basic_no_pattern", "secret", new TestSgConfig.Role("exclusion_test_user_basic_no_pattern_role").clusterPermissions("*").indexPermissions("*").on("exclude_test_*").excludeIndexPermissions("*").on("exclude_test_disallow_2")).user("exclusion_test_user_write", "secret", new TestSgConfig.Role("exclusion_test_user_action_exclusion_role").clusterPermissions("SGS_CLUSTER_COMPOSITE_OPS").indexPermissions("*").on("write_exclude_test_*").excludeIndexPermissions("SGS_WRITE").on("write_exclude_test_disallow_*")).user("exclusion_test_user_write_no_pattern", "secret", new TestSgConfig.Role("exclusion_test_user_write_no_pattern_role").clusterPermissions("SGS_CLUSTER_COMPOSITE_OPS").indexPermissions("*").on("write_exclude_test_*").excludeIndexPermissions("SGS_WRITE").on("write_exclude_test_disallow_2")).user("exclusion_test_user_cluster_permission", "secret", new TestSgConfig.Role("exclusion_test_user_cluster_permission_role").clusterPermissions("*").excludeClusterPermissions("indices:data/read/msearch").indexPermissions("*").on("exclude_test_*").excludeIndexPermissions("*").on("exclude_test_disallow_*")).build();

    @BeforeClass
    public static void setupTestData() {
        Client internalClient = cluster.getInternalClient();
        try {
            internalClient.index(new IndexRequest("resolve_test_allow_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "resolve_test_allow_1", "b", "y", "date", "1985/01/01"})).actionGet();
            internalClient.index(new IndexRequest("resolve_test_allow_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "resolve_test_allow_2", "b", "yy", "date", "1985/01/01"})).actionGet();
            internalClient.index(new IndexRequest("resolve_test_disallow_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "resolve_test_disallow_1", "b", "yy", "date", "1985/01/01"})).actionGet();
            internalClient.index(new IndexRequest("resolve_test_disallow_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "resolve_test_disallow_2", "b", "yy", "date", "1985/01/01"})).actionGet();
            internalClient.index(new IndexRequest("alias_resolve_test_index_allow_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "alias_resolve_test_index_allow_1", "b", "y", "date", "1985/01/01"})).actionGet();
            internalClient.index(new IndexRequest("alias_resolve_test_index_allow_aliased_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "alias_resolve_test_index_allow_aliased_1", "b", "y", "date", "1985/01/01"})).actionGet();
            internalClient.index(new IndexRequest("alias_resolve_test_index_allow_aliased_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "alias_resolve_test_index_allow_aliased_2", "b", "y", "date", "1985/01/01"})).actionGet();
            internalClient.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(IndicesAliasesRequest.AliasActions.add().alias("alias_resolve_test_alias_1").index("alias_resolve_test_*"))).actionGet();
            internalClient.index(new IndexRequest("exclude_test_allow_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "exclude_test_allow_1", "b", "y", "date", "1985/01/01"})).actionGet();
            internalClient.index(new IndexRequest("exclude_test_allow_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "exclude_test_allow_2", "b", "yy", "date", "1985/01/01"})).actionGet();
            internalClient.index(new IndexRequest("exclude_test_disallow_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "exclude_test_disallow_1", "b", "yy", "date", "1985/01/01"})).actionGet();
            internalClient.index(new IndexRequest("exclude_test_disallow_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "exclude_test_disallow_2", "b", "yy", "date", "1985/01/01"})).actionGet();
            if (internalClient != null) {
                internalClient.close();
            }
            Client internalClient2 = clusterFof.getInternalClient();
            try {
                internalClient2.index(new IndexRequest("exclude_test_allow_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "exclude_test_allow_1", "b", "y", "date", "1985/01/01"})).actionGet();
                internalClient2.index(new IndexRequest("exclude_test_allow_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "exclude_test_allow_2", "b", "yy", "date", "1985/01/01"})).actionGet();
                internalClient2.index(new IndexRequest("exclude_test_disallow_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "exclude_test_disallow_1", "b", "yy", "date", "1985/01/01"})).actionGet();
                internalClient2.index(new IndexRequest("exclude_test_disallow_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "exclude_test_disallow_2", "b", "yy", "date", "1985/01/01"})).actionGet();
                if (internalClient2 != null) {
                    internalClient2.close();
                }
                internalClient2 = anotherCluster.getInternalClient();
                try {
                    internalClient2.index(new IndexRequest("resolve_test_allow_remote_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"a", "x", "b", "y", "date", "1985/01/01"})).actionGet();
                    internalClient2.index(new IndexRequest("resolve_test_allow_remote_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"a", "xx", "b", "yy", "date", "1985/01/01"})).actionGet();
                    internalClient2.index(new IndexRequest("resolve_test_disallow_remote_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"a", "xx", "b", "yy", "date", "1985/01/01"})).actionGet();
                    internalClient2.index(new IndexRequest("resolve_test_disallow_remote_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"a", "xx", "b", "yy", "date", "1985/01/01"})).actionGet();
                    if (internalClient2 != null) {
                        internalClient2.close();
                    }
                } finally {
                }
            } finally {
            }
        } finally {
            if (internalClient != null) {
                try {
                    internalClient.close();
                } catch (Throwable th) {
                    th.addSuppressed(th);
                }
            }
        }
    }

    @Test
    public void resolveTestLocal() throws Exception {
        RestHelper.HttpResponse executeGetRequest = cluster.restHelper().executeGetRequest("/_resolve/index/resolve_test_*", basicAuth("resolve_test_user", "secret"));
        Assert.assertThat(executeGetRequest, RestMatchers.isOk());
        Assert.assertThat(executeGetRequest, RestMatchers.json(RestMatchers.nodeAt("indices[*].name", Matchers.contains(new String[]{"resolve_test_allow_1", "resolve_test_allow_2"}))));
    }

    @Test
    public void resolveTestRemote() throws Exception {
        RestHelper.HttpResponse executeGetRequest = cluster.restHelper().executeGetRequest("/_resolve/index/my_remote:resolve_test_*", basicAuth("resolve_test_user", "secret"));
        Assert.assertThat(executeGetRequest, RestMatchers.isOk());
        Assert.assertThat(executeGetRequest, RestMatchers.json(RestMatchers.nodeAt("indices[*].name", Matchers.contains(new String[]{"my_remote:resolve_test_allow_remote_1", "my_remote:resolve_test_allow_remote_2"}))));
    }

    @Test
    public void resolveTestLocalRemoteMixed() throws Exception {
        RestHelper.HttpResponse executeGetRequest = cluster.restHelper().executeGetRequest("/_resolve/index/resolve_test_*,my_remote:resolve_test_*_remote_*", basicAuth("resolve_test_user", "secret"));
        Assert.assertThat(executeGetRequest, RestMatchers.isOk());
        Assert.assertThat(executeGetRequest, RestMatchers.json(RestMatchers.nodeAt("indices[*].name", Matchers.contains(new String[]{"resolve_test_allow_1", "resolve_test_allow_2", "my_remote:resolve_test_allow_remote_1", "my_remote:resolve_test_allow_remote_2"}))));
    }

    @Test
    public void resolveTestAliasAndIndexMixed() throws Exception {
        RestHelper.HttpResponse executeGetRequest = cluster.restHelper().executeGetRequest("/_resolve/index/alias_resolve_test_*", basicAuth("resolve_test_user", "secret"));
        Assert.assertThat(executeGetRequest, RestMatchers.isOk());
        Assert.assertThat(executeGetRequest, RestMatchers.json(RestMatchers.nodeAt("indices[*].name", Matchers.containsInAnyOrder(new String[]{"alias_resolve_test_index_allow_aliased_1", "alias_resolve_test_index_allow_aliased_2", "alias_resolve_test_index_allow_1"}))));
    }

    @Test
    public void readAliasAndIndexMixed() throws Exception {
        RestHelper.HttpResponse executeGetRequest = cluster.restHelper().executeGetRequest("/alias_resolve_test_*/_search", basicAuth("resolve_test_user", "secret"));
        Assert.assertThat(executeGetRequest, RestMatchers.isOk());
        Assert.assertThat(executeGetRequest, RestMatchers.json(RestMatchers.nodeAt("hits.hits[*]._source.index", Matchers.containsInAnyOrder(new String[]{"alias_resolve_test_index_allow_aliased_1", "alias_resolve_test_index_allow_aliased_2", "alias_resolve_test_index_allow_1"}))));
    }

    @Test
    public void excludeBasic() throws Exception {
        RestHelper.HttpResponse executeGetRequest = cluster.restHelper().executeGetRequest("/exclude_test_*/_search", basicAuth("exclusion_test_user_basic", "secret"));
        Assert.assertThat(executeGetRequest, RestMatchers.isOk());
        Assert.assertThat(executeGetRequest, RestMatchers.json(RestMatchers.nodeAt("hits.hits[*]._source.index", Matchers.containsInAnyOrder(new String[]{"exclude_test_allow_1", "exclude_test_allow_2"}))));
    }

    @Test
    public void excludeBasicNoPattern() throws Exception {
        RestHelper.HttpResponse executeGetRequest = cluster.restHelper().executeGetRequest("/exclude_test_*/_search", basicAuth("exclusion_test_user_basic_no_pattern", "secret"));
        Assert.assertThat(executeGetRequest, RestMatchers.isOk());
        Assert.assertThat(executeGetRequest, RestMatchers.json(RestMatchers.nodeAt("hits.hits[*]._source.index", Matchers.containsInAnyOrder(new String[]{"exclude_test_allow_1", "exclude_test_allow_2", "exclude_test_disallow_1"}))));
    }

    @Test
    public void excludeWrite() throws Exception {
        Client internalClient = cluster.getInternalClient();
        try {
            internalClient.index(new IndexRequest("write_exclude_test_allow_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "write_exclude_test_allow_1", "b", "y", "date", "1985/01/01"})).actionGet();
            internalClient.index(new IndexRequest("write_exclude_test_allow_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "write_exclude_test_allow_2", "b", "yy", "date", "1985/01/01"})).actionGet();
            internalClient.index(new IndexRequest("write_exclude_test_disallow_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "write_exclude_test_disallow_1", "b", "yy", "date", "1985/01/01"})).actionGet();
            internalClient.index(new IndexRequest("write_exclude_test_disallow_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "write_exclude_test_disallow_2", "b", "yy", "date", "1985/01/01"})).actionGet();
            if (internalClient != null) {
                internalClient.close();
            }
            RestHelper.HttpResponse executeGetRequest = cluster.restHelper().executeGetRequest("/write_exclude_test_*/_search", basicAuth("exclusion_test_user_write", "secret"));
            Assert.assertThat(executeGetRequest, RestMatchers.isOk());
            Assert.assertThat(executeGetRequest, RestMatchers.json(RestMatchers.nodeAt("hits.hits[*]._source.index", Matchers.containsInAnyOrder(new String[]{"write_exclude_test_allow_1", "write_exclude_test_allow_2", "write_exclude_test_disallow_1", "write_exclude_test_disallow_2"}))));
            RestHighLevelClient restHighLevelClient = cluster.getRestHighLevelClient("exclusion_test_user_write", "secret");
            try {
                Assert.assertEquals(DocWriteResponse.Result.CREATED, restHighLevelClient.index(new IndexRequest("write_exclude_test_allow_1").source(new Object[]{"a", "b"}), RequestOptions.DEFAULT).getResult());
                try {
                    restHighLevelClient.index(new IndexRequest("write_exclude_test_disallow_1").source(new Object[]{"a", "b"}), RequestOptions.DEFAULT);
                    Assert.fail();
                } catch (ElasticsearchStatusException e) {
                    Assert.assertEquals(RestStatus.FORBIDDEN, e.status());
                    Assert.assertTrue(e.getMessage(), e.getMessage().contains("no permissions for [indices:data/write/index]"));
                }
                if (restHighLevelClient != null) {
                    restHighLevelClient.close();
                }
            } catch (Throwable th) {
                if (restHighLevelClient != null) {
                    try {
                        restHighLevelClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (Throwable th3) {
            if (internalClient != null) {
                try {
                    internalClient.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    @Test
    public void excludeBasicFof() throws Exception {
        RestHelper restHelper = clusterFof.restHelper();
        Header basicAuth = basicAuth("exclusion_test_user_basic", "secret");
        Assert.assertThat(restHelper.executeGetRequest("/exclude_test_*/_search", basicAuth), RestMatchers.isForbidden());
        RestHelper.HttpResponse executeGetRequest = restHelper.executeGetRequest("/exclude_test_allow_*/_search", basicAuth);
        Assert.assertThat(executeGetRequest, RestMatchers.isOk());
        Assert.assertThat(executeGetRequest, RestMatchers.json(RestMatchers.nodeAt("hits.hits[*]._source.index", Matchers.containsInAnyOrder(new String[]{"exclude_test_allow_1", "exclude_test_allow_2"}))));
        Assert.assertThat(restHelper.executeGetRequest("/exclude_test_disallow_1/_search", basicAuth), RestMatchers.isForbidden());
    }

    @Test
    public void excludeBasicFofNoPattern() throws Exception {
        RestHelper restHelper = clusterFof.restHelper();
        Header basicAuth = basicAuth("exclusion_test_user_basic_no_pattern", "secret");
        Assert.assertThat(restHelper.executeGetRequest("/exclude_test_*/_search", basicAuth), RestMatchers.isForbidden());
        RestHelper.HttpResponse executeGetRequest = restHelper.executeGetRequest("/exclude_test_allow_*/_search", basicAuth);
        Assert.assertThat(executeGetRequest, RestMatchers.isOk());
        Assert.assertThat(executeGetRequest, RestMatchers.json(RestMatchers.nodeAt("hits.hits[*]._source.index", Matchers.containsInAnyOrder(new String[]{"exclude_test_allow_1", "exclude_test_allow_2"}))));
        Assert.assertThat(restHelper.executeGetRequest("/exclude_test_disallow_1/_search", basicAuth), RestMatchers.isOk());
        Assert.assertThat(restHelper.executeGetRequest("/exclude_test_disallow_2/_search", basicAuth), RestMatchers.isForbidden());
    }

    @Test
    public void excludeWriteFof() throws Exception {
        Client internalClient = clusterFof.getInternalClient();
        try {
            internalClient.index(new IndexRequest("write_exclude_test_allow_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "write_exclude_test_allow_1", "b", "y", "date", "1985/01/01"})).actionGet();
            internalClient.index(new IndexRequest("write_exclude_test_allow_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "write_exclude_test_allow_2", "b", "yy", "date", "1985/01/01"})).actionGet();
            internalClient.index(new IndexRequest("write_exclude_test_disallow_1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "write_exclude_test_disallow_1", "b", "yy", "date", "1985/01/01"})).actionGet();
            internalClient.index(new IndexRequest("write_exclude_test_disallow_2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(XContentType.JSON, new Object[]{"index", "write_exclude_test_disallow_2", "b", "yy", "date", "1985/01/01"})).actionGet();
            if (internalClient != null) {
                internalClient.close();
            }
            RestHelper.HttpResponse executeGetRequest = clusterFof.restHelper().executeGetRequest("/write_exclude_test_*/_search", basicAuth("exclusion_test_user_write", "secret"));
            Assert.assertThat(executeGetRequest, RestMatchers.isOk());
            Assert.assertThat(executeGetRequest, RestMatchers.json(RestMatchers.nodeAt("hits.hits[*]._source.index", Matchers.containsInAnyOrder(new String[]{"write_exclude_test_allow_1", "write_exclude_test_allow_2", "write_exclude_test_disallow_1", "write_exclude_test_disallow_2"}))));
            RestHighLevelClient restHighLevelClient = clusterFof.getRestHighLevelClient("exclusion_test_user_write", "secret");
            try {
                Assert.assertEquals(DocWriteResponse.Result.CREATED, restHighLevelClient.index(new IndexRequest("write_exclude_test_allow_1").source(new Object[]{"a", "b"}), RequestOptions.DEFAULT).getResult());
                try {
                    restHighLevelClient.index(new IndexRequest("write_exclude_test_disallow_1").source(new Object[]{"a", "b"}), RequestOptions.DEFAULT);
                    Assert.fail();
                } catch (ElasticsearchStatusException e) {
                    Assert.assertEquals(RestStatus.FORBIDDEN, e.status());
                    Assert.assertTrue(e.getMessage(), e.getMessage().contains("no permissions for [indices:data/write/index]"));
                }
                if (restHighLevelClient != null) {
                    restHighLevelClient.close();
                }
            } catch (Throwable th) {
                if (restHighLevelClient != null) {
                    try {
                        restHighLevelClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (Throwable th3) {
            if (internalClient != null) {
                try {
                    internalClient.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    @Test
    public void excludeClusterPermission() throws Exception {
        RestHelper restHelper = cluster.restHelper();
        RestHelper.HttpResponse executeGetRequest = restHelper.executeGetRequest("/exclude_test_*/_search", basicAuth("exclusion_test_user_basic", "secret"));
        Assert.assertThat(executeGetRequest, RestMatchers.isOk());
        Assert.assertThat(executeGetRequest, RestMatchers.json(RestMatchers.nodeAt("hits.hits[*]._source.index", Matchers.containsInAnyOrder(new String[]{"exclude_test_allow_1", "exclude_test_allow_2"}))));
        RestHelper.HttpResponse executeGetRequest2 = restHelper.executeGetRequest("/exclude_test_*/_search", basicAuth("exclusion_test_user_cluster_permission", "secret"));
        Assert.assertThat(executeGetRequest2, RestMatchers.isOk());
        Assert.assertThat(executeGetRequest2, RestMatchers.json(RestMatchers.nodeAt("hits.hits[*]._source.index", Matchers.containsInAnyOrder(new String[]{"exclude_test_allow_1", "exclude_test_allow_2"}))));
        RestHelper.HttpResponse executePostRequest = restHelper.executePostRequest("/exclude_test_*/_msearch", "{}\n{\"query\": {\"match_all\": {}}}\n", basicAuth("exclusion_test_user_basic", "secret"));
        Assert.assertThat(executePostRequest, RestMatchers.isOk());
        Assert.assertThat(executePostRequest, RestMatchers.json(RestMatchers.nodeAt("responses[0].hits.hits[*]._source.index", Matchers.containsInAnyOrder(new String[]{"exclude_test_allow_1", "exclude_test_allow_2"}))));
        Assert.assertThat(restHelper.executePostRequest("/exclude_test_*/_msearch", "{}\n{\"query\": {\"match_all\": {}}}\n", basicAuth("exclusion_test_user_cluster_permission", "secret")), RestMatchers.isForbidden());
    }

    private static Header basicAuth(String str, String str2) {
        return new BasicHeader("Authorization", "Basic " + Base64.getEncoder().encodeToString((str + ":" + ((String) Objects.requireNonNull(str2))).getBytes(StandardCharsets.UTF_8)));
    }
}
