package org.apache.pinot.server.api;

import com.google.common.collect.ImmutableMap;
import io.netty.channel.ChannelHandlerContext;
import java.io.File;
import java.io.IOException;
import java.net.ServerSocket;
import java.net.URI;
import java.util.Arrays;
import java.util.Collections;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.io.FileUtils;
import org.apache.helix.HelixManager;
import org.apache.pinot.common.config.TlsConfig;
import org.apache.pinot.common.metrics.ServerMetrics;
import org.apache.pinot.core.auth.BasicAuthUtils;
import org.apache.pinot.core.transport.HttpServerThreadPoolConfig;
import org.apache.pinot.core.transport.ListenerConfig;
import org.apache.pinot.server.access.AccessControl;
import org.apache.pinot.server.access.AccessControlFactory;
import org.apache.pinot.server.access.BasicAuthAccessFactory;
import org.apache.pinot.server.access.GrpcRequesterIdentity;
import org.apache.pinot.server.access.HttpRequesterIdentity;
import org.apache.pinot.server.access.RequesterIdentity;
import org.apache.pinot.server.starter.ServerInstance;
import org.apache.pinot.spi.env.PinotConfiguration;
import org.apache.pinot.spi.utils.NetUtils;
import org.glassfish.jersey.internal.MapPropertiesDelegate;
import org.glassfish.jersey.server.ContainerRequest;
import org.mockito.Mockito;
import org.testng.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

/* loaded from: input_file:org/apache/pinot/server/api/AccessControlTest.class */
public class AccessControlTest {
    private static final File INDEX_DIR = new File(FileUtils.getTempDirectory(), "AccessControlTest");
    protected static final String TABLE_NAME = "testTable";
    private AdminApiApplication _adminApiApplication;
    protected WebTarget _webTarget;

    /* loaded from: input_file:org/apache/pinot/server/api/AccessControlTest$DenyAllAccessFactory.class */
    public static class DenyAllAccessFactory implements AccessControlFactory {
        private static final AccessControl DENY_ALL_ACCESS = new AccessControl() { // from class: org.apache.pinot.server.api.AccessControlTest.DenyAllAccessFactory.1
            public boolean isAuthorizedChannel(ChannelHandlerContext channelHandlerContext) {
                return false;
            }

            public boolean hasDataAccess(RequesterIdentity requesterIdentity, String str) {
                return false;
            }
        };

        public AccessControl create() {
            return DENY_ALL_ACCESS;
        }
    }

    @BeforeClass
    public void setUp() throws Exception {
        FileUtils.deleteQuietly(INDEX_DIR);
        Assert.assertTrue(INDEX_DIR.mkdirs());
        ServerInstance serverInstance = (ServerInstance) Mockito.mock(ServerInstance.class);
        Mockito.when(serverInstance.getServerMetrics()).thenReturn((ServerMetrics) Mockito.mock(ServerMetrics.class));
        Mockito.when(serverInstance.getHelixManager()).thenReturn((HelixManager) Mockito.mock(HelixManager.class));
        PinotConfiguration pinotConfiguration = new PinotConfiguration();
        pinotConfiguration.setProperty("pinot.server.instance.id", "Server_" + pinotConfiguration.getProperty("pinot.server.netty.host", pinotConfiguration.getProperty("pinot.set.instance.id.to.hostname", false) ? NetUtils.getHostnameOrAddress() : NetUtils.getHostAddress()) + "_" + pinotConfiguration.getProperty("pinot.server.netty.port", 8098));
        this._adminApiApplication = new AdminApiApplication(serverInstance, new DenyAllAccessFactory(), pinotConfiguration);
        int availablePort = getAvailablePort();
        this._adminApiApplication.start(Collections.singletonList(new ListenerConfig("http", "0.0.0.0", availablePort, "http", new TlsConfig(), HttpServerThreadPoolConfig.defaultInstance())));
        this._webTarget = ClientBuilder.newClient().target(String.format("http://%s:%d", NetUtils.getHostAddress(), Integer.valueOf(availablePort)));
    }

    @AfterClass
    public void tearDown() {
        this._adminApiApplication.stop();
        FileUtils.deleteQuietly(INDEX_DIR);
    }

    @Test
    public void testAccessDenied() {
        Assert.assertNotEquals(Integer.valueOf(((Response) this._webTarget.path("/segments/testTable_REALTIME/segment_name").request().get(Response.class)).getStatus()), Response.Status.FORBIDDEN);
    }

    @Test
    public void testGrpcBasicAuth() {
        testBasicAuth(new GrpcRequesterIdentity(ImmutableMap.of("authorization", BasicAuthUtils.toBasicAuthToken("admin123", "verysecret"))), true);
        testBasicAuth(new GrpcRequesterIdentity(ImmutableMap.of("authorization", BasicAuthUtils.toBasicAuthToken("user456", "kindasecret"))), false);
        testBasicAuth(new GrpcRequesterIdentity(ImmutableMap.of("authorization", "Basic YWRtaW4xMjM6dmVyeXNlY3JldA")), true);
        testBasicAuth(new GrpcRequesterIdentity(ImmutableMap.of("authorization", "Basic dXNlcjQ1NjpraW5kYXNlY3JldA==")), false);
    }

    @Test
    public void testHttpBasicAuth() {
        ContainerRequest containerRequest = new ContainerRequest((URI) null, (URI) null, (String) null, (SecurityContext) null, new MapPropertiesDelegate());
        containerRequest.getRequestHeaders().put("authorization", Arrays.asList(BasicAuthUtils.toBasicAuthToken("admin123", "verysecret")));
        testBasicAuth(new HttpRequesterIdentity(containerRequest), true);
        containerRequest.getRequestHeaders().put("authorization", Arrays.asList(BasicAuthUtils.toBasicAuthToken("user456", "kindasecret")));
        testBasicAuth(new HttpRequesterIdentity(containerRequest), false);
        containerRequest.getRequestHeaders().put("authorization", Arrays.asList("Basic YWRtaW4xMjM6dmVyeXNlY3JldA"));
        testBasicAuth(new HttpRequesterIdentity(containerRequest), true);
        containerRequest.getRequestHeaders().put("authorization", Arrays.asList("Basic dXNlcjQ1NjpraW5kYXNlY3JldA=="));
        testBasicAuth(new HttpRequesterIdentity(containerRequest), false);
    }

    public void testBasicAuth(RequesterIdentity requesterIdentity, boolean z) {
        BasicAuthAccessFactory basicAuthAccessFactory = new BasicAuthAccessFactory();
        basicAuthAccessFactory.init(new PinotConfiguration(ImmutableMap.of("principals", "admin123,user456", "principals.admin123.password", "verysecret", "principals.user456.password", "kindasecret", "principals.user456.tables", "stuff,lessImportantStuff")));
        AccessControl create = basicAuthAccessFactory.create();
        Assert.assertTrue(create.hasDataAccess(requesterIdentity, "stuff"));
        Assert.assertTrue(create.hasDataAccess(requesterIdentity, "stuff_OFFLINE"));
        Assert.assertTrue(create.hasDataAccess(requesterIdentity, "stuff_REALTIME"));
        Assert.assertTrue(create.hasDataAccess(requesterIdentity, "lessImportantStuff"));
        Assert.assertTrue(create.hasDataAccess(requesterIdentity, "lessImportantStuff_OFFLINE"));
        Assert.assertTrue(create.hasDataAccess(requesterIdentity, "lessImportantStuff_REALTIME"));
        if (z) {
            Assert.assertTrue(create.hasDataAccess(requesterIdentity, "myTable"));
            Assert.assertTrue(create.hasDataAccess(requesterIdentity, "myTable_OFFLINE"));
            Assert.assertTrue(create.hasDataAccess(requesterIdentity, "myTable_REALTIME"));
        } else {
            Assert.assertFalse(create.hasDataAccess(requesterIdentity, "myTable"));
            Assert.assertFalse(create.hasDataAccess(requesterIdentity, "myTable_OFFLINE"));
            Assert.assertFalse(create.hasDataAccess(requesterIdentity, "myTable_REALTIME"));
        }
    }

    public static int getAvailablePort() {
        try {
            ServerSocket serverSocket = new ServerSocket(0);
            try {
                int localPort = serverSocket.getLocalPort();
                serverSocket.close();
                return localPort;
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException("Failed to find an available port to use", e);
        }
    }
}
