package com.floragunn.searchguard;

import com.floragunn.searchguard.action.configupdate.ConfigUpdateAction;
import com.floragunn.searchguard.action.configupdate.ConfigUpdateRequest;
import com.floragunn.searchguard.action.configupdate.ConfigUpdateResponse;
import com.floragunn.searchguard.action.whoami.WhoAmIAction;
import com.floragunn.searchguard.action.whoami.WhoAmIRequest;
import com.floragunn.searchguard.action.whoami.WhoAmIResponse;
import com.floragunn.searchguard.http.HTTPClientCertAuthenticator;
import com.floragunn.searchguard.test.DynamicSgConfig;
import com.floragunn.searchguard.test.SingleClusterTest;
import com.floragunn.searchguard.test.helper.cluster.JavaSecurityTestSetup;
import com.floragunn.searchguard.test.helper.file.FileHelper;
import com.floragunn.searchguard.test.helper.rest.RestHelper;
import io.netty.handler.ssl.OpenSsl;
import java.nio.file.Path;
import java.util.TreeSet;
import org.apache.http.Header;
import org.apache.http.message.BasicHeader;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.admin.cluster.reroute.ClusterRerouteRequest;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingRequest;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.client.transport.TransportClient;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.rest.RestRequest;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/IntegrationTests.class */
public class IntegrationTests extends SingleClusterTest {

    @ClassRule
    public static JavaSecurityTestSetup javaSecurity = new JavaSecurityTestSetup();

    @Test
    public void testSearchScroll() throws Exception {
        Thread.setDefaultUncaughtExceptionHandler((thread, th) -> {
            th.printStackTrace();
        });
        setup(Settings.builder().putList("searchguard.authcz.rest_impersonation_user.worf", new String[]{"knuddel", "nonexists"}).build());
        RestHelper nonSslRestHelper = nonSslRestHelper();
        TransportClient internalTransportClient = getInternalTransportClient();
        for (int i = 0; i < 3; i++) {
            try {
                internalTransportClient.index(new IndexRequest("vulcangov").type("kolinahr").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            } catch (Throwable th2) {
                if (internalTransportClient != null) {
                    try {
                        internalTransportClient.close();
                    } catch (Throwable th3) {
                        th2.addSuppressed(th3);
                    }
                }
                throw th2;
            }
        }
        if (internalTransportClient != null) {
            internalTransportClient.close();
        }
        System.out.println("########search");
        RestHelper.HttpResponse executeGetRequest = nonSslRestHelper.executeGetRequest("vulcangov/_search?scroll=1m&pretty=true", encodeBasicHeader("nagilum", "nagilum"));
        Assert.assertEquals(200L, executeGetRequest.getStatusCode());
        System.out.println(executeGetRequest.getBody());
        int indexOf = executeGetRequest.getBody().indexOf("_scroll_id") + 15;
        System.out.println(executeGetRequest.getBody().substring(indexOf, executeGetRequest.getBody().indexOf("\"", indexOf + 1)));
        System.out.println("########search scroll");
        Assert.assertEquals(200L, nonSslRestHelper.executePostRequest("/_search/scroll?pretty=true", "{\"scroll_id\" : \"" + r0 + "\"}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
        System.out.println("########search done");
    }

    @Test
    public void testNotInsecure() throws Exception {
        setup(Settings.EMPTY, new DynamicSgConfig().setSgRoles("sg_roles_deny.yml"), Settings.EMPTY, true);
        RestHelper nonSslRestHelper = nonSslRestHelper();
        TransportClient internalTransportClient = getInternalTransportClient();
        try {
            internalTransportClient.index(new IndexRequest("test").type("type1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"field2\":\"init\"}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("lorem").type("type1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"field2\":\"init\"}", XContentType.JSON)).actionGet();
            WhoAmIResponse whoAmIResponse = (WhoAmIResponse) internalTransportClient.execute(WhoAmIAction.INSTANCE, new WhoAmIRequest()).actionGet();
            System.out.println(whoAmIResponse);
            Assert.assertEquals("CN=kirk,OU=client,O=client,L=Test,C=DE", whoAmIResponse.getDn());
            Assert.assertTrue(whoAmIResponse.isAdmin());
            Assert.assertTrue(whoAmIResponse.toString(), whoAmIResponse.isAuthenticated());
            Assert.assertFalse(whoAmIResponse.toString(), whoAmIResponse.isNodeCertificateRequest());
            if (internalTransportClient != null) {
                internalTransportClient.close();
            }
            Assert.assertEquals(403L, nonSslRestHelper.executePutRequest("test/_mapping?pretty", "{\"properties\": {\"name\":{\"type\":\"text\"}}}", encodeBasicHeader("writer", "writer")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executePostRequest("_cluster/reroute", "{}", encodeBasicHeader("writer", "writer")).getStatusCode());
            TransportClient userTransportClient = getUserTransportClient(this.clusterInfo, "spock-keystore.jks", Settings.EMPTY);
            try {
                try {
                    userTransportClient.admin().indices().putMapping(new PutMappingRequest(new String[]{"test"}).type("typex").source(new Object[]{"fieldx", "type=text"})).actionGet();
                    Assert.fail();
                } catch (Throwable th) {
                    if (userTransportClient != null) {
                        try {
                            userTransportClient.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (ElasticsearchSecurityException e) {
                Assert.assertTrue(e.toString(), e.getMessage().contains("no permissions for"));
            }
            try {
                userTransportClient.admin().cluster().reroute(new ClusterRerouteRequest()).actionGet();
                Assert.fail();
            } catch (ElasticsearchSecurityException e2) {
                Assert.assertTrue(e2.toString(), e2.getMessage().contains("no permissions for [cluster:admin/reroute]"));
            }
            WhoAmIResponse whoAmIResponse2 = (WhoAmIResponse) userTransportClient.execute(WhoAmIAction.INSTANCE, new WhoAmIRequest()).actionGet();
            Assert.assertEquals("CN=spock,OU=client,O=client,L=Test,C=DE", whoAmIResponse2.getDn());
            Assert.assertFalse(whoAmIResponse2.isAdmin());
            Assert.assertTrue(whoAmIResponse2.toString(), whoAmIResponse2.isAuthenticated());
            Assert.assertFalse(whoAmIResponse2.toString(), whoAmIResponse2.isNodeCertificateRequest());
            if (userTransportClient != null) {
                userTransportClient.close();
            }
        } catch (Throwable th3) {
            if (internalTransportClient != null) {
                try {
                    internalTransportClient.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    @Test
    public void testDnParsingCertAuth() throws Exception {
        HTTPClientCertAuthenticator hTTPClientCertAuthenticator = new HTTPClientCertAuthenticator(Settings.builder().put("username_attribute", "cn").put("roles_attribute", "l").build(), (Path) null);
        Assert.assertEquals("abc", hTTPClientCertAuthenticator.extractCredentials((RestRequest) null, newThreadContext("cn=abc,cn=xxx,l=ert,st=zui,c=qwe")).getUsername());
        Assert.assertEquals("abc", hTTPClientCertAuthenticator.extractCredentials((RestRequest) null, newThreadContext("cn=abc,l=ert,st=zui,c=qwe")).getUsername());
        Assert.assertEquals("abc", hTTPClientCertAuthenticator.extractCredentials((RestRequest) null, newThreadContext("CN=abc,L=ert,st=zui,c=qwe")).getUsername());
        Assert.assertEquals("abc", hTTPClientCertAuthenticator.extractCredentials((RestRequest) null, newThreadContext("l=ert,cn=abc,st=zui,c=qwe")).getUsername());
        Assert.assertNull(hTTPClientCertAuthenticator.extractCredentials((RestRequest) null, newThreadContext("L=ert,CN=abc,c,st=zui,c=qwe")));
        Assert.assertEquals("abc", hTTPClientCertAuthenticator.extractCredentials((RestRequest) null, newThreadContext("l=ert,st=zui,c=qwe,cn=abc")).getUsername());
        Assert.assertEquals("abc", hTTPClientCertAuthenticator.extractCredentials((RestRequest) null, newThreadContext("L=ert,st=zui,c=qwe,CN=abc")).getUsername());
        Assert.assertEquals("L=ert,st=zui,c=qwe", hTTPClientCertAuthenticator.extractCredentials((RestRequest) null, newThreadContext("L=ert,st=zui,c=qwe")).getUsername());
        Assert.assertArrayEquals(new String[]{"ert"}, hTTPClientCertAuthenticator.extractCredentials((RestRequest) null, newThreadContext("cn=abc,l=ert,st=zui,c=qwe")).getBackendRoles().toArray(new String[0]));
        Assert.assertArrayEquals(new String[]{"bleh", "ert"}, new TreeSet(hTTPClientCertAuthenticator.extractCredentials((RestRequest) null, newThreadContext("cn=abc,l=ert,L=bleh,st=zui,c=qwe")).getBackendRoles()).toArray(new String[0]));
        Assert.assertEquals("cn=abc,l=ert,st=zui,c=qwe", new HTTPClientCertAuthenticator(Settings.builder().build(), (Path) null).extractCredentials((RestRequest) null, newThreadContext("cn=abc,l=ert,st=zui,c=qwe")).getUsername());
    }

    private ThreadContext newThreadContext(String str) {
        ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
        threadContext.putTransient("_sg_ssl_principal", str);
        return threadContext;
    }

    @Test
    public void testDNSpecials() throws Exception {
        setup(Settings.builder().put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12")).put("searchguard.ssl.transport.keystore_type", "PKCS12").build(), new DynamicSgConfig(), Settings.builder().put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12")).put("searchguard.ssl.transport.keystore_alias", "1").put("searchguard.ssl.transport.keystore_type", "PKCS12").putList("searchguard.nodes_dn", new String[]{"EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE"}).putList("searchguard.authcz.admin_dn", new String[]{"EMAILADDRESS=unt@xxx.com,CN=node-untspec6.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE"}).put("searchguard.cert.oid", "1.2.3.4.5.6").build(), true);
        RestHelper nonSslRestHelper = nonSslRestHelper();
        Assert.assertEquals(401L, nonSslRestHelper.executeGetRequest("", new Header[0]).getStatusCode());
        Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("", encodeBasicHeader("worf", "worf")).getStatusCode());
    }

    @Test
    public void testDNSpecials1() throws Exception {
        setup(Settings.builder().put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-untspec6-keystore.p12")).put("searchguard.ssl.transport.keystore_type", "PKCS12").build(), new DynamicSgConfig(), Settings.builder().put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("node-untspec5-keystore.p12")).put("searchguard.ssl.transport.keystore_alias", "1").put("searchguard.ssl.transport.keystore_type", "PKCS12").putList("searchguard.nodes_dn", new String[]{"EMAILADDRESS=unt@tst.com,CN=node-untspec5.example.com,OU=SSL,O=Te\\, st,L=Test,C=DE"}).putList("searchguard.authcz.admin_dn", new String[]{"EMAILADDREss=unt@xxx.com,  cn=node-untspec6.example.com, OU=SSL,O=Te\\, st,L=Test, c=DE"}).put("searchguard.cert.oid", "1.2.3.4.5.6").build(), true);
        RestHelper nonSslRestHelper = nonSslRestHelper();
        Assert.assertEquals(401L, nonSslRestHelper.executeGetRequest("", new Header[0]).getStatusCode());
        Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("", encodeBasicHeader("worf", "worf")).getStatusCode());
    }

    @Test
    public void testEnsureOpenSSLAvailability() {
        Assume.assumeTrue(this.allowOpenSSL);
        Assert.assertTrue(String.valueOf(OpenSsl.unavailabilityCause()), OpenSsl.isAvailable());
    }

    @Test
    public void testMultiget() throws Exception {
        setup();
        TransportClient internalTransportClient = getInternalTransportClient();
        try {
            internalTransportClient.index(new IndexRequest("mindex1").type("type").id("1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("mindex2").type("type").id("2").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)).actionGet();
            if (internalTransportClient != null) {
                internalTransportClient.close();
            }
            RestHelper.HttpResponse executePostRequest = nonSslRestHelper().executePostRequest("_mget?refresh=true", "{\"docs\" : [{\"_index\" : \"mindex1\",\"_type\" : \"type\",\"_id\" : \"1\" }, {\"_index\" : \"mindex2\", \"_type\" : \"type\", \"_id\" : \"2\"}]}", encodeBasicHeader("picard", "picard"));
            System.out.println(executePostRequest.getBody());
            Assert.assertEquals(200L, executePostRequest.getStatusCode());
            Assert.assertFalse(executePostRequest.getBody().contains("type2"));
        } catch (Throwable th) {
            if (internalTransportClient != null) {
                try {
                    internalTransportClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testRestImpersonation() throws Exception {
        setup(Settings.builder().putList("searchguard.authcz.rest_impersonation_user.spock", new String[]{"knuddel", "userwhonotexists"}).build());
        RestHelper nonSslRestHelper = nonSslRestHelper();
        Assert.assertEquals(403L, nonSslRestHelper.executeGetRequest("/_searchguard/authinfo", new BasicHeader("sg_impersonate_as", "knuddel"), encodeBasicHeader("worf", "worf")).getStatusCode());
        RestHelper.HttpResponse executeGetRequest = nonSslRestHelper.executeGetRequest("/_searchguard/authinfo", new BasicHeader("sg_impersonate_as", "knuddel"), encodeBasicHeader("spock", "spock"));
        Assert.assertEquals(200L, executeGetRequest.getStatusCode());
        Assert.assertTrue(executeGetRequest.getBody(), executeGetRequest.getBody().contains("User knuddel"));
        Assert.assertFalse(executeGetRequest.getBody().contains("spock"));
        System.out.println(nonSslRestHelper.executeGetRequest("/_searchguard/authinfo", new BasicHeader("sg_impersonate_as", "userwhonotexists"), encodeBasicHeader("spock", "spock")).getBody());
        Assert.assertEquals(403L, r0.getStatusCode());
        Assert.assertEquals(403L, nonSslRestHelper.executeGetRequest("/_searchguard/authinfo", new BasicHeader("sg_impersonate_as", "invalid"), encodeBasicHeader("spock", "spock")).getStatusCode());
    }

    @Test
    public void testSingle() throws Exception {
        setup();
        TransportClient internalTransportClient = getInternalTransportClient();
        try {
            internalTransportClient.index(new IndexRequest("shakespeare").type("type").id("1").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            Assert.assertFalse(((ConfigUpdateResponse) internalTransportClient.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config", "roles", "rolesmapping", "internalusers", "actiongroups"})).actionGet()).hasFailures());
            Assert.assertEquals(this.clusterInfo.numNodes, r0.getNodes().size());
            if (internalTransportClient != null) {
                internalTransportClient.close();
            }
            RestHelper.HttpResponse executeGetRequest = nonSslRestHelper().executeGetRequest("shakespeare/_search", encodeBasicHeader("picard", "picard"));
            System.out.println(executeGetRequest.getBody());
            Assert.assertEquals(200L, executeGetRequest.getStatusCode());
            Assert.assertTrue(executeGetRequest.getBody().contains("\"content\":1"));
            Assert.assertEquals(200L, r0.executeHeadRequest("shakespeare", encodeBasicHeader("picard", "picard")).getStatusCode());
        } catch (Throwable th) {
            if (internalTransportClient != null) {
                try {
                    internalTransportClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testSpecialUsernames() throws Exception {
        setup();
        RestHelper nonSslRestHelper = nonSslRestHelper();
        Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("", encodeBasicHeader("bug.99", "nagilum")).getStatusCode());
        Assert.assertEquals(401L, nonSslRestHelper.executeGetRequest("", encodeBasicHeader("a", "b")).getStatusCode());
        Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("", encodeBasicHeader("\"'+-,;_?*@<>!$%&/()=#", "nagilum")).getStatusCode());
        Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("", encodeBasicHeader("§ÄÖÜäöüß", "nagilum")).getStatusCode());
    }

    @Test
    public void testXff() throws Exception {
        setup(Settings.EMPTY, new DynamicSgConfig().setSgConfig("sg_config_xff.yml"), Settings.EMPTY, true);
        RestHelper.HttpResponse executeGetRequest = nonSslRestHelper().executeGetRequest("_searchguard/authinfo", new BasicHeader("x-forwarded-for", "10.0.0.7"), encodeBasicHeader("worf", "worf"));
        Assert.assertEquals(200L, executeGetRequest.getStatusCode());
        Assert.assertTrue(executeGetRequest.getBody().contains("10.0.0.7"));
    }

    @Test
    public void testRegexExcludes() throws Exception {
        setup(Settings.EMPTY, new DynamicSgConfig(), Settings.EMPTY);
        TransportClient internalTransportClient = getInternalTransportClient(this.clusterInfo, Settings.EMPTY);
        try {
            internalTransportClient.index(new IndexRequest("indexa").type("type01").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"indexa\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("indexb").type("type01").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"indexb\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("isallowed").type("type01").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"isallowed\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("special").type("type01").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"special\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("alsonotallowed").type("type01").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"alsonotallowed\":1}", XContentType.JSON)).actionGet();
            if (internalTransportClient != null) {
                internalTransportClient.close();
            }
            RestHelper nonSslRestHelper = nonSslRestHelper();
            Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("index*/_search", encodeBasicHeader("rexclude", "nagilum")).getStatusCode());
            Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("indexa/_search", encodeBasicHeader("rexclude", "nagilum")).getStatusCode());
            Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("isallowed/_search", encodeBasicHeader("rexclude", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executeGetRequest("special/_search", encodeBasicHeader("rexclude", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executeGetRequest("alsonotallowed/_search", encodeBasicHeader("rexclude", "nagilum")).getStatusCode());
        } catch (Throwable th) {
            if (internalTransportClient != null) {
                try {
                    internalTransportClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testMultiRoleSpan() throws Exception {
        setup();
        RestHelper nonSslRestHelper = nonSslRestHelper();
        TransportClient internalTransportClient = getInternalTransportClient();
        try {
            internalTransportClient.index(new IndexRequest("mindex_1").type("logs").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("mindex_2").type("logs").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)).actionGet();
            if (internalTransportClient != null) {
                internalTransportClient.close();
            }
            RestHelper.HttpResponse executeGetRequest = nonSslRestHelper.executeGetRequest("/mindex_1,mindex_2/_search", encodeBasicHeader("mindex12", "nagilum"));
            System.out.println(executeGetRequest.getBody());
            Assert.assertEquals(403L, executeGetRequest.getStatusCode());
            Assert.assertFalse(executeGetRequest.getBody().contains("\"content\":1"));
            Assert.assertFalse(executeGetRequest.getBody().contains("\"content\":2"));
            internalTransportClient = getInternalTransportClient();
            try {
                internalTransportClient.index(new IndexRequest("searchguard").type(getType()).id("config").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source(new Object[]{"config", FileHelper.readYamlContent("sg_config_multirolespan.yml")})).actionGet();
                Assert.assertFalse(((ConfigUpdateResponse) internalTransportClient.execute(ConfigUpdateAction.INSTANCE, new ConfigUpdateRequest(new String[]{"config"})).actionGet()).hasFailures());
                Assert.assertEquals(this.clusterInfo.numNodes, r0.getNodes().size());
                if (internalTransportClient != null) {
                    internalTransportClient.close();
                }
                RestHelper.HttpResponse executeGetRequest2 = nonSslRestHelper.executeGetRequest("/mindex_1,mindex_2/_search", encodeBasicHeader("mindex12", "nagilum"));
                System.out.println(executeGetRequest2.getBody());
                Assert.assertEquals(200L, executeGetRequest2.getStatusCode());
                Assert.assertTrue(executeGetRequest2.getBody().contains("\"content\":1"));
                Assert.assertTrue(executeGetRequest2.getBody().contains("\"content\":2"));
            } finally {
            }
        } finally {
        }
    }

    @Test
    public void testMultiRoleSpan2() throws Exception {
        setup(Settings.EMPTY, new DynamicSgConfig().setSgConfig("sg_config_multirolespan.yml"), Settings.EMPTY);
        RestHelper nonSslRestHelper = nonSslRestHelper();
        TransportClient internalTransportClient = getInternalTransportClient();
        try {
            internalTransportClient.index(new IndexRequest("mindex_1").type("logs").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("mindex_2").type("logs").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("mindex_3").type("logs").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("mindex_4").type("logs").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":2}", XContentType.JSON)).actionGet();
            if (internalTransportClient != null) {
                internalTransportClient.close();
            }
            Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("/mindex_1,mindex_2/_search", encodeBasicHeader("mindex12", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executeGetRequest("/mindex_1,mindex_3/_search", encodeBasicHeader("mindex12", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executeGetRequest("/mindex_1,mindex_4/_search", encodeBasicHeader("mindex12", "nagilum")).getStatusCode());
        } catch (Throwable th) {
            if (internalTransportClient != null) {
                try {
                    internalTransportClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testSGUnderscore() throws Exception {
        setup();
        RestHelper nonSslRestHelper = nonSslRestHelper();
        nonSslRestHelper.executePostRequest("abc_xyz_2018_05_24/logs/1", "{\"content\":1}", encodeBasicHeader("underscore", "nagilum"));
        RestHelper.HttpResponse executeGetRequest = nonSslRestHelper.executeGetRequest("abc_xyz_2018_05_24/logs/1", encodeBasicHeader("underscore", "nagilum"));
        Assert.assertTrue(executeGetRequest.getBody(), executeGetRequest.getBody().contains("\"content\":1"));
        Assert.assertEquals(200L, executeGetRequest.getStatusCode());
        Assert.assertEquals(200L, nonSslRestHelper.executeGetRequest("abc_xyz_2018_05_24/_refresh", encodeBasicHeader("underscore", "nagilum")).getStatusCode());
        Assert.assertEquals(403L, nonSslRestHelper.executeGetRequest("aaa_bbb_2018_05_24/_refresh", encodeBasicHeader("underscore", "nagilum")).getStatusCode());
    }

    @Test
    public void testDeleteByQueryDnfof() throws Exception {
        setup(Settings.EMPTY, new DynamicSgConfig().setSgConfig("sg_config_dnfof.yml"), Settings.EMPTY);
        TransportClient internalTransportClient = getInternalTransportClient();
        for (int i = 0; i < 3; i++) {
            try {
                internalTransportClient.index(new IndexRequest("vulcangov").type("kolinahr").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            } catch (Throwable th) {
                if (internalTransportClient != null) {
                    try {
                        internalTransportClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        if (internalTransportClient != null) {
            internalTransportClient.close();
        }
        RestHelper.HttpResponse executePostRequest = nonSslRestHelper().executePostRequest("/vulcango*/_delete_by_query?refresh=true&wait_for_completion=true&pretty=true", "{\"query\" : {\"match_all\" : {}}}", encodeBasicHeader("nagilum", "nagilum"));
        Assert.assertEquals(200L, executePostRequest.getStatusCode());
        Assert.assertTrue(executePostRequest.getBody().contains("\"deleted\" : 3"));
    }

    @Test
    public void testUpdate() throws Exception {
        setup(Settings.builder().put("searchguard.roles_mapping_resolution", "BOTH").build());
        RestHelper nonSslRestHelper = nonSslRestHelper();
        TransportClient internalTransportClient = getInternalTransportClient();
        try {
            internalTransportClient.index(new IndexRequest("indexc").type("typec").id("0").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            if (internalTransportClient != null) {
                internalTransportClient.close();
            }
            System.out.println(nonSslRestHelper.executePostRequest("indexc/typec/0/_update?pretty=true&refresh=true", "{\"doc\" : {\"content\":2}}", encodeBasicHeader("user_c", "user_c")).getBody());
            Assert.assertEquals(200L, r0.getStatusCode());
        } catch (Throwable th) {
            if (internalTransportClient != null) {
                try {
                    internalTransportClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testDnfof() throws Exception {
        setup(Settings.EMPTY, new DynamicSgConfig().setSgConfig("sg_config_dnfof.yml"), Settings.builder().put("searchguard.roles_mapping_resolution", "BOTH").build());
        RestHelper nonSslRestHelper = nonSslRestHelper();
        TransportClient internalTransportClient = getInternalTransportClient();
        try {
            internalTransportClient.admin().indices().create(new CreateIndexRequest("copysf")).actionGet();
            internalTransportClient.index(new IndexRequest("indexa").type("doc").id("0").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":\"indexa\"}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("indexb").type("doc").id("0").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":\"indexb\"}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("vulcangov").type("kolinahr").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("starfleet").type("ships").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("starfleet_academy").type("students").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("starfleet_library").type("public").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("klingonempire").type("ships").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("public").type("legends").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("spock").type("type01").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("kirk").type("type01").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("role01_role02").type("type01").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(IndicesAliasesRequest.AliasActions.add().indices(new String[]{"starfleet", "starfleet_academy", "starfleet_library"}).alias("sf"))).actionGet();
            internalTransportClient.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(IndicesAliasesRequest.AliasActions.add().indices(new String[]{"klingonempire", "vulcangov"}).alias("nonsf"))).actionGet();
            internalTransportClient.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(IndicesAliasesRequest.AliasActions.add().indices(new String[]{"public"}).alias("unrestricted"))).actionGet();
            if (internalTransportClient != null) {
                internalTransportClient.close();
            }
            RestHelper.HttpResponse executeGetRequest = nonSslRestHelper.executeGetRequest("indexa,indexb/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(200L, executeGetRequest.getStatusCode());
            System.out.println(executeGetRequest.getBody());
            Assert.assertTrue(executeGetRequest.getBody(), executeGetRequest.getBody().contains("indexa"));
            Assert.assertFalse(executeGetRequest.getBody(), executeGetRequest.getBody().contains("indexb"));
            Assert.assertFalse(executeGetRequest.getBody(), executeGetRequest.getBody().contains("exception"));
            Assert.assertFalse(executeGetRequest.getBody(), executeGetRequest.getBody().contains("permission"));
            RestHelper.HttpResponse executeGetRequest2 = nonSslRestHelper.executeGetRequest("indexa,indexb/_search?pretty", encodeBasicHeader("user_b", "user_b"));
            Assert.assertEquals(200L, executeGetRequest2.getStatusCode());
            System.out.println(executeGetRequest2.getBody());
            Assert.assertFalse(executeGetRequest2.getBody(), executeGetRequest2.getBody().contains("indexa"));
            Assert.assertTrue(executeGetRequest2.getBody(), executeGetRequest2.getBody().contains("indexb"));
            Assert.assertFalse(executeGetRequest2.getBody(), executeGetRequest2.getBody().contains("exception"));
            Assert.assertFalse(executeGetRequest2.getBody(), executeGetRequest2.getBody().contains("permission"));
            String str = "{\"index\":\"indexa\", \"type\":\"doc\", \"ignore_unavailable\": true}" + System.lineSeparator() + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + System.lineSeparator() + "{\"index\":\"indexb\", \"type\":\"doc\", \"ignore_unavailable\": true}" + System.lineSeparator() + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + System.lineSeparator() + "{\"index\":\"index*\", \"type\":\"doc\", \"ignore_unavailable\": true}" + System.lineSeparator() + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + System.lineSeparator();
            System.out.println("#### msearch");
            RestHelper.HttpResponse executePostRequest = nonSslRestHelper.executePostRequest("_msearch?pretty", str, encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(200L, executePostRequest.getStatusCode());
            System.out.println(executePostRequest.getBody());
            Assert.assertTrue(executePostRequest.getBody(), executePostRequest.getBody().contains("indexa"));
            Assert.assertFalse(executePostRequest.getBody(), executePostRequest.getBody().contains("indexb"));
            Assert.assertTrue(executePostRequest.getBody(), executePostRequest.getBody().contains("exception"));
            Assert.assertTrue(executePostRequest.getBody(), executePostRequest.getBody().contains("permission"));
            Assert.assertEquals(3L, executePostRequest.getBody().split("\"status\" : 200").length);
            Assert.assertEquals(2L, executePostRequest.getBody().split("\"status\" : 403").length);
            RestHelper.HttpResponse executePostRequest2 = nonSslRestHelper.executePostRequest("_msearch?pretty", str, encodeBasicHeader("user_b", "user_b"));
            Assert.assertEquals(200L, executePostRequest2.getStatusCode());
            System.out.println(executePostRequest2.getBody());
            Assert.assertFalse(executePostRequest2.getBody(), executePostRequest2.getBody().contains("indexa"));
            Assert.assertTrue(executePostRequest2.getBody(), executePostRequest2.getBody().contains("indexb"));
            Assert.assertTrue(executePostRequest2.getBody(), executePostRequest2.getBody().contains("exception"));
            Assert.assertTrue(executePostRequest2.getBody(), executePostRequest2.getBody().contains("permission"));
            Assert.assertEquals(3L, executePostRequest2.getBody().split("\"status\" : 200").length);
            Assert.assertEquals(2L, executePostRequest2.getBody().split("\"status\" : 403").length);
            Assert.assertEquals(403L, nonSslRestHelper.executePostRequest("_msearch?pretty", "{\"index\":\"indexc\", \"type\":\"doc\", \"ignore_unavailable\": true}" + System.lineSeparator() + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + System.lineSeparator() + "{\"index\":\"indexd\", \"type\":\"doc\", \"ignore_unavailable\": true}" + System.lineSeparator() + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + System.lineSeparator(), encodeBasicHeader("user_b", "user_b")).getStatusCode());
            System.out.println("#### mget");
            RestHelper.HttpResponse executePostRequest3 = nonSslRestHelper.executePostRequest("_mget?pretty", "{\"docs\" : [{\"_index\" : \"indexa\",\"_type\" : \"doc\",\"_id\" : \"0\" }, {\"_index\" : \"indexb\", \"_type\" : \"doc\", \"_id\" : \"0\"}]}", encodeBasicHeader("user_b", "user_b"));
            Assert.assertEquals(200L, executePostRequest3.getStatusCode());
            Assert.assertFalse(executePostRequest3.getBody(), executePostRequest3.getBody().contains("\"content\" : \"indexa\""));
            Assert.assertTrue(executePostRequest3.getBody(), executePostRequest3.getBody().contains("\"content\" : \"indexb\""));
            Assert.assertTrue(executePostRequest3.getBody(), executePostRequest3.getBody().contains("exception"));
            Assert.assertTrue(executePostRequest3.getBody(), executePostRequest3.getBody().contains("permission"));
            Assert.assertEquals(403L, nonSslRestHelper.executePostRequest("_mget?pretty", "{\"docs\" : [{\"_index\" : \"indexx\",\"_type\" : \"doc\",\"_id\" : \"0\" }, {\"_index\" : \"indexy\", \"_type\" : \"doc\", \"_id\" : \"0\"}]}", encodeBasicHeader("user_b", "user_b")).getStatusCode());
            RestHelper.HttpResponse executeGetRequest3 = nonSslRestHelper.executeGetRequest("_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(200L, executeGetRequest3.getStatusCode());
            System.out.println(executeGetRequest3.getBody());
            Assert.assertTrue(executeGetRequest3.getBody(), executeGetRequest3.getBody().contains("indexa"));
            Assert.assertFalse(executeGetRequest3.getBody(), executeGetRequest3.getBody().contains("indexb"));
            RestHelper.HttpResponse executeGetRequest4 = nonSslRestHelper.executeGetRequest("index*/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(200L, executeGetRequest4.getStatusCode());
            System.out.println(executeGetRequest4.getBody());
            Assert.assertTrue(executeGetRequest4.getBody(), executeGetRequest4.getBody().contains("indexa"));
            Assert.assertFalse(executeGetRequest4.getBody(), executeGetRequest4.getBody().contains("indexb"));
            Assert.assertFalse(executeGetRequest4.getBody(), executeGetRequest4.getBody().contains("exception"));
            Assert.assertFalse(executeGetRequest4.getBody(), executeGetRequest4.getBody().contains("permission"));
            RestHelper.HttpResponse executeGetRequest5 = nonSslRestHelper.executeGetRequest("indexa/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(200L, executeGetRequest5.getStatusCode());
            System.out.println(executeGetRequest5.getBody());
            RestHelper.HttpResponse executeGetRequest6 = nonSslRestHelper.executeGetRequest("indexb/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(403L, executeGetRequest6.getStatusCode());
            System.out.println(executeGetRequest6.getBody());
            RestHelper.HttpResponse executeGetRequest7 = nonSslRestHelper.executeGetRequest("*/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(200L, executeGetRequest7.getStatusCode());
            System.out.println(executeGetRequest7.getBody());
            RestHelper.HttpResponse executeGetRequest8 = nonSslRestHelper.executeGetRequest("_all/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(200L, executeGetRequest8.getStatusCode());
            System.out.println(executeGetRequest8.getBody());
            RestHelper.HttpResponse executeGetRequest9 = nonSslRestHelper.executeGetRequest("notexists/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(403L, executeGetRequest9.getStatusCode());
            System.out.println(executeGetRequest9.getBody());
            RestHelper.HttpResponse executeGetRequest10 = nonSslRestHelper.executeGetRequest("permitnotexistentindex/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(404L, executeGetRequest10.getStatusCode());
            System.out.println(executeGetRequest10.getBody());
            RestHelper.HttpResponse executeGetRequest11 = nonSslRestHelper.executeGetRequest("permitnotexistentindex*/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(200L, executeGetRequest11.getStatusCode());
            System.out.println(executeGetRequest11.getBody());
            RestHelper.HttpResponse executeGetRequest12 = nonSslRestHelper.executeGetRequest("indexanbh,indexabb*/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(404L, executeGetRequest12.getStatusCode());
            System.out.println(executeGetRequest12.getBody());
            RestHelper.HttpResponse executeGetRequest13 = nonSslRestHelper.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(403L, executeGetRequest13.getStatusCode());
            System.out.println(executeGetRequest13.getBody());
            RestHelper.HttpResponse executeGetRequest14 = nonSslRestHelper.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("worf", "worf"));
            Assert.assertEquals(200L, executeGetRequest14.getStatusCode());
            System.out.println(executeGetRequest14.getBody());
            System.out.println("#### _all/_mapping/field/*");
            RestHelper.HttpResponse executeGetRequest15 = nonSslRestHelper.executeGetRequest("_all/_mapping/field/*", encodeBasicHeader("nagilum", "nagilum"));
            Assert.assertEquals(200L, executeGetRequest15.getStatusCode());
            System.out.println(executeGetRequest15.getBody());
        } catch (Throwable th) {
            if (internalTransportClient != null) {
                try {
                    internalTransportClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testNoDnfof() throws Exception {
        setup(Settings.EMPTY, new DynamicSgConfig(), Settings.builder().put("searchguard.roles_mapping_resolution", "BOTH").build());
        RestHelper nonSslRestHelper = nonSslRestHelper();
        TransportClient internalTransportClient = getInternalTransportClient();
        try {
            internalTransportClient.admin().indices().create(new CreateIndexRequest("copysf")).actionGet();
            internalTransportClient.index(new IndexRequest("indexa").type("doc").id("0").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":\"indexa\"}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("indexb").type("doc").id("0").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":\"indexb\"}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("vulcangov").type("kolinahr").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("starfleet").type("ships").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("starfleet_academy").type("students").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("starfleet_library").type("public").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("klingonempire").type("ships").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("public").type("legends").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("spock").type("type01").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("kirk").type("type01").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.index(new IndexRequest("role01_role02").type("type01").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":1}", XContentType.JSON)).actionGet();
            internalTransportClient.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(IndicesAliasesRequest.AliasActions.add().indices(new String[]{"starfleet", "starfleet_academy", "starfleet_library"}).alias("sf"))).actionGet();
            internalTransportClient.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(IndicesAliasesRequest.AliasActions.add().indices(new String[]{"klingonempire", "vulcangov"}).alias("nonsf"))).actionGet();
            internalTransportClient.admin().indices().aliases(new IndicesAliasesRequest().addAliasAction(IndicesAliasesRequest.AliasActions.add().indices(new String[]{"public"}).alias("unrestricted"))).actionGet();
            if (internalTransportClient != null) {
                internalTransportClient.close();
            }
            RestHelper.HttpResponse executeGetRequest = nonSslRestHelper.executeGetRequest("indexa,indexb/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(403L, executeGetRequest.getStatusCode());
            System.out.println(executeGetRequest.getBody());
            RestHelper.HttpResponse executeGetRequest2 = nonSslRestHelper.executeGetRequest("indexa,indexb/_search?pretty", encodeBasicHeader("user_b", "user_b"));
            Assert.assertEquals(403L, executeGetRequest2.getStatusCode());
            System.out.println(executeGetRequest2.getBody());
            String str = "{\"index\":\"indexa\", \"type\":\"doc\", \"ignore_unavailable\": true}" + System.lineSeparator() + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + System.lineSeparator() + "{\"index\":\"indexb\", \"type\":\"doc\", \"ignore_unavailable\": true}" + System.lineSeparator() + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + System.lineSeparator();
            System.out.println("#### msearch a");
            RestHelper.HttpResponse executePostRequest = nonSslRestHelper.executePostRequest("_msearch?pretty", str, encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(200L, executePostRequest.getStatusCode());
            System.out.println(executePostRequest.getBody());
            Assert.assertTrue(executePostRequest.getBody(), executePostRequest.getBody().contains("indexa"));
            Assert.assertFalse(executePostRequest.getBody(), executePostRequest.getBody().contains("indexb"));
            Assert.assertTrue(executePostRequest.getBody(), executePostRequest.getBody().contains("exception"));
            Assert.assertTrue(executePostRequest.getBody(), executePostRequest.getBody().contains("permission"));
            System.out.println("#### msearch b");
            RestHelper.HttpResponse executePostRequest2 = nonSslRestHelper.executePostRequest("_msearch?pretty", str, encodeBasicHeader("user_b", "user_b"));
            Assert.assertEquals(200L, executePostRequest2.getStatusCode());
            System.out.println(executePostRequest2.getBody());
            Assert.assertFalse(executePostRequest2.getBody(), executePostRequest2.getBody().contains("indexa"));
            Assert.assertTrue(executePostRequest2.getBody(), executePostRequest2.getBody().contains("indexb"));
            Assert.assertTrue(executePostRequest2.getBody(), executePostRequest2.getBody().contains("exception"));
            Assert.assertTrue(executePostRequest2.getBody(), executePostRequest2.getBody().contains("permission"));
            String str2 = "{\"index\":\"indexc\", \"type\":\"doc\", \"ignore_unavailable\": true}" + System.lineSeparator() + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + System.lineSeparator() + "{\"index\":\"indexd\", \"type\":\"doc\", \"ignore_unavailable\": true}" + System.lineSeparator() + "{\"size\":10, \"query\":{\"bool\":{\"must\":{\"match_all\":{}}}}}" + System.lineSeparator();
            System.out.println("#### msearch b2");
            RestHelper.HttpResponse executePostRequest3 = nonSslRestHelper.executePostRequest("_msearch?pretty", str2, encodeBasicHeader("user_b", "user_b"));
            System.out.println(executePostRequest3.getBody());
            Assert.assertEquals(200L, executePostRequest3.getStatusCode());
            Assert.assertFalse(executePostRequest3.getBody(), executePostRequest3.getBody().contains("indexc"));
            Assert.assertFalse(executePostRequest3.getBody(), executePostRequest3.getBody().contains("indexd"));
            Assert.assertTrue(executePostRequest3.getBody(), executePostRequest3.getBody().contains("exception"));
            Assert.assertTrue(executePostRequest3.getBody(), executePostRequest3.getBody().contains("permission"));
            Assert.assertEquals(3L, executePostRequest3.getBody().split("\"status\" : 403").length);
            RestHelper.HttpResponse executePostRequest4 = nonSslRestHelper.executePostRequest("_mget?pretty", "{\"docs\" : [{\"_index\" : \"indexa\",\"_type\" : \"doc\",\"_id\" : \"0\" }, {\"_index\" : \"indexb\", \"_type\" : \"doc\", \"_id\" : \"0\"}]}", encodeBasicHeader("user_b", "user_b"));
            Assert.assertEquals(200L, executePostRequest4.getStatusCode());
            Assert.assertFalse(executePostRequest4.getBody(), executePostRequest4.getBody().contains("\"content\" : \"indexa\""));
            Assert.assertTrue(executePostRequest4.getBody(), executePostRequest4.getBody().contains("indexb"));
            Assert.assertTrue(executePostRequest4.getBody(), executePostRequest4.getBody().contains("exception"));
            Assert.assertTrue(executePostRequest4.getBody(), executePostRequest4.getBody().contains("permission"));
            RestHelper.HttpResponse executePostRequest5 = nonSslRestHelper.executePostRequest("_mget?pretty", "{\"docs\" : [{\"_index\" : \"indexx\",\"_type\" : \"doc\",\"_id\" : \"0\" }, {\"_index\" : \"indexy\", \"_type\" : \"doc\", \"_id\" : \"0\"}]}", encodeBasicHeader("user_b", "user_b"));
            Assert.assertEquals(200L, executePostRequest5.getStatusCode());
            Assert.assertTrue(executePostRequest5.getBody(), executePostRequest5.getBody().contains("exception"));
            Assert.assertEquals(3L, executePostRequest5.getBody().split("root_cause").length);
            Assert.assertEquals(403L, nonSslRestHelper.executeGetRequest("_search?pretty", encodeBasicHeader("user_a", "user_a")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executeGetRequest("index*/_search?pretty", encodeBasicHeader("user_a", "user_a")).getStatusCode());
            RestHelper.HttpResponse executeGetRequest3 = nonSslRestHelper.executeGetRequest("indexa/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(200L, executeGetRequest3.getStatusCode());
            System.out.println(executeGetRequest3.getBody());
            RestHelper.HttpResponse executeGetRequest4 = nonSslRestHelper.executeGetRequest("indexb/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(403L, executeGetRequest4.getStatusCode());
            System.out.println(executeGetRequest4.getBody());
            RestHelper.HttpResponse executeGetRequest5 = nonSslRestHelper.executeGetRequest("*/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(403L, executeGetRequest5.getStatusCode());
            System.out.println(executeGetRequest5.getBody());
            RestHelper.HttpResponse executeGetRequest6 = nonSslRestHelper.executeGetRequest("_all/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(403L, executeGetRequest6.getStatusCode());
            System.out.println(executeGetRequest6.getBody());
            RestHelper.HttpResponse executeGetRequest7 = nonSslRestHelper.executeGetRequest("notexists/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(403L, executeGetRequest7.getStatusCode());
            System.out.println(executeGetRequest7.getBody());
            RestHelper.HttpResponse executeGetRequest8 = nonSslRestHelper.executeGetRequest("indexanbh,indexabb*/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(404L, executeGetRequest8.getStatusCode());
            System.out.println(executeGetRequest8.getBody());
            RestHelper.HttpResponse executeGetRequest9 = nonSslRestHelper.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("user_a", "user_a"));
            Assert.assertEquals(403L, executeGetRequest9.getStatusCode());
            System.out.println(executeGetRequest9.getBody());
            RestHelper.HttpResponse executeGetRequest10 = nonSslRestHelper.executeGetRequest("starfleet/_search?pretty", encodeBasicHeader("worf", "worf"));
            Assert.assertEquals(200L, executeGetRequest10.getStatusCode());
            System.out.println(executeGetRequest10.getBody());
            RestHelper.HttpResponse executeGetRequest11 = nonSslRestHelper.executeGetRequest("_all,-indexb/_search?pretty", encodeBasicHeader("nagilum", "nagilum"));
            Assert.assertEquals(400L, executeGetRequest11.getStatusCode());
            System.out.println(executeGetRequest11.getBody());
            System.out.println("#### _all/_mapping/field/*");
            RestHelper.HttpResponse executeGetRequest12 = nonSslRestHelper.executeGetRequest("_all/_mapping/field/*", encodeBasicHeader("nagilum", "nagilum"));
            Assert.assertEquals(200L, executeGetRequest12.getStatusCode());
            System.out.println(executeGetRequest12.getBody());
            System.out.println("#### _mapping/field/*");
            RestHelper.HttpResponse executeGetRequest13 = nonSslRestHelper.executeGetRequest("_mapping/field/*", encodeBasicHeader("nagilum", "nagilum"));
            Assert.assertEquals(200L, executeGetRequest13.getStatusCode());
            System.out.println(executeGetRequest13.getBody());
            System.out.println("#### */_mapping/field/*");
            RestHelper.HttpResponse executeGetRequest14 = nonSslRestHelper.executeGetRequest("*/_mapping/field/*", encodeBasicHeader("nagilum", "nagilum"));
            Assert.assertEquals(200L, executeGetRequest14.getStatusCode());
            System.out.println(executeGetRequest14.getBody());
        } catch (Throwable th) {
            if (internalTransportClient != null) {
                try {
                    internalTransportClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testSgIndexSecurity() throws Exception {
        setup();
        RestHelper nonSslRestHelper = nonSslRestHelper();
        TransportClient internalTransportClient = getInternalTransportClient();
        try {
            internalTransportClient.index(new IndexRequest("indexa").type("doc").id("0").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":\"indexa\"}", XContentType.JSON)).actionGet();
            if (internalTransportClient != null) {
                internalTransportClient.close();
            }
            Assert.assertEquals(403L, nonSslRestHelper.executePutRequest("searchguard,inde*/_mapping?pretty", "{\"properties\": {\"name\":{\"type\":\"text\"}}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executePutRequest("searchguard/_mapping?pretty", "{\"properties\": {\"name\":{\"type\":\"text\"}}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executePutRequest("*earc*gua*/_mapping?pretty", "{\"properties\": {\"name\":{\"type\":\"text\"}}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executePutRequest("*/_mapping?pretty", "{\"properties\": {\"name\":{\"type\":\"text\"}}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executePutRequest("_all/_mapping?pretty", "{\"properties\": {\"name\":{\"type\":\"text\"}}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executePostRequest("searchguard/_close", "", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executeDeleteRequest("searchguard", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executeDeleteRequest("_all", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executePutRequest("*/_settings", "{\"index\" : {\"number_of_replicas\" : 2}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executePutRequest("_settings", "{\"index\" : {\"number_of_replicas\" : 2}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executePutRequest("_all/_settings", "{\"index\" : {\"number_of_replicas\" : 2}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executePutRequest("searchguard/_settings", "{\"index\" : {\"number_of_replicas\" : 2}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executePutRequest("searchgu*/_settings", "{\"index\" : {\"number_of_replicas\" : 2}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(200L, nonSslRestHelper.executePutRequest("*,-searchguard/_settings", "{\"index\" : {\"number_of_replicas\" : 2}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(404L, nonSslRestHelper.executePutRequest("*,-searchguard,-index*/_settings", "{\"index\" : {\"number_of_replicas\" : 2}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertTrue(nonSslRestHelper.executePostRequest("searchguard/_freeze", "", encodeBasicHeader("nagilum", "nagilum")).getStatusCode() >= 400);
            System.out.println(nonSslRestHelper.executePostRequest("_bulk?refresh=true&pretty", "{ \"index\" : { \"_index\" : \"searchguard\", \"_id\" : \"1\" } }\n{ \"field1\" : \"value1\" }\n{ \"index\" : { \"_index\" : \"searchguard\", \"_id\" : \"2\" } }\n{ \"field2\" : \"value2\" }\n{ \"index\" : { \"_index\" : \"myindex\", \"_id\" : \"2\" } }\n{ \"field2\" : \"value2\" }\n{ \"delete\" : { \"_index\" : \"searchguard\", \"_id\" : \"config\" } }\n", encodeBasicHeader("nagilum", "nagilum")).getBody());
            Assert.assertEquals(200L, r0.getStatusCode());
            Assert.assertEquals(4L, r0.getBody().split("\"status\" : 403,").length);
        } catch (Throwable th) {
            if (internalTransportClient != null) {
                try {
                    internalTransportClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testSgIndexSecurityWithSgIndexExcluded() throws Exception {
        setup(Settings.EMPTY, new DynamicSgConfig(), Settings.builder().put("searchguard.filter_sgindex_from_all_requests", true).build());
        RestHelper nonSslRestHelper = nonSslRestHelper();
        TransportClient internalTransportClient = getInternalTransportClient();
        try {
            internalTransportClient.index(new IndexRequest("indexa").type("doc").id("0").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"content\":\"indexa\"}", XContentType.JSON)).actionGet();
            if (internalTransportClient != null) {
                internalTransportClient.close();
            }
            Assert.assertEquals(200L, nonSslRestHelper.executePutRequest("searchguard,inde*/_mapping?pretty", "{\"properties\": {\"name\":{\"type\":\"text\"}}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executePutRequest("searchguard/_mapping?pretty", "{\"properties\": {\"name\":{\"type\":\"text\"}}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executePutRequest("*earc*gua*/_mapping?pretty", "{\"properties\": {\"name\":{\"type\":\"text\"}}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(200L, nonSslRestHelper.executePutRequest("*/_mapping?pretty", "{\"properties\": {\"name\":{\"type\":\"text\"}}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(200L, nonSslRestHelper.executePutRequest("_all/_mapping?pretty", "{\"properties\": {\"name\":{\"type\":\"text\"}}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executePostRequest("searchguard/_close", "", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executeDeleteRequest("searchguard", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(200L, nonSslRestHelper.executePutRequest("*/_settings", "{\"index\" : {\"number_of_replicas\" : 2}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(200L, nonSslRestHelper.executePutRequest("_settings", "{\"index\" : {\"number_of_replicas\" : 2}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(200L, nonSslRestHelper.executePutRequest("_all/_settings", "{\"index\" : {\"number_of_replicas\" : 2}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executePutRequest("searchguard/_settings", "{\"index\" : {\"number_of_replicas\" : 2}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(403L, nonSslRestHelper.executePutRequest("searchgu*/_settings", "{\"index\" : {\"number_of_replicas\" : 2}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(200L, nonSslRestHelper.executePutRequest("*,-searchguard/_settings", "{\"index\" : {\"number_of_replicas\" : 2}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(404L, nonSslRestHelper.executePutRequest("*,-searchguard,-index*/_settings", "{\"index\" : {\"number_of_replicas\" : 2}}", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
            Assert.assertEquals(200L, nonSslRestHelper.executeDeleteRequest("_all", encodeBasicHeader("nagilum", "nagilum")).getStatusCode());
        } catch (Throwable th) {
            if (internalTransportClient != null) {
                try {
                    internalTransportClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
