package kafka.admin;

import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import kafka.security.JaasTestUtils;
import org.apache.kafka.clients.admin.Admin;
import org.apache.kafka.clients.admin.ConsumerGroupDescription;
import org.apache.kafka.clients.admin.DescribeClusterOptions;
import org.apache.kafka.clients.admin.DescribeConsumerGroupsOptions;
import org.apache.kafka.clients.admin.DescribeConsumerGroupsResult;
import org.apache.kafka.clients.admin.DescribeTopicsOptions;
import org.apache.kafka.clients.admin.NewTopic;
import org.apache.kafka.clients.admin.TopicDescription;
import org.apache.kafka.clients.consumer.OffsetAndMetadata;
import org.apache.kafka.common.KafkaFuture;
import org.apache.kafka.common.TopicPartition;
import org.apache.kafka.common.acl.AccessControlEntry;
import org.apache.kafka.common.acl.AccessControlEntryFilter;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.acl.AclPermissionType;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.test.ClusterInstance;
import org.apache.kafka.common.test.api.ClusterConfig;
import org.apache.kafka.common.test.api.ClusterTemplate;
import org.apache.kafka.common.test.api.Type;
import org.apache.kafka.common.test.junit.ClusterTestExtensions;
import org.apache.kafka.security.authorizer.AclEntry;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.extension.ExtendWith;

@ExtendWith({ClusterTestExtensions.class})
/* loaded from: input_file:kafka/admin/DescribeAuthorizedOperationsTest.class */
public class DescribeAuthorizedOperationsTest {
    private static final String GROUP1 = "group1";
    private static final ResourcePattern GROUP1_PATTERN = new ResourcePattern(ResourceType.GROUP, GROUP1, PatternType.LITERAL);
    private static final String GROUP2 = "group2";
    private static final ResourcePattern GROUP2_PATTERN = new ResourcePattern(ResourceType.GROUP, GROUP2, PatternType.LITERAL);
    private static final String GROUP3 = "group3";
    private static final ResourcePattern GROUP3_PATTERN = new ResourcePattern(ResourceType.GROUP, GROUP3, PatternType.LITERAL);
    private static final ResourcePattern CLUSTER_PATTERN = new ResourcePattern(ResourceType.CLUSTER, "kafka-cluster", PatternType.LITERAL);
    private static final AccessControlEntry ALTER_ENTRY = createAccessControlEntry("plain-user1", AclOperation.ALTER);
    private static final AccessControlEntry DESCRIBE_ENTRY = createAccessControlEntry("plain-user1", AclOperation.DESCRIBE);

    static List<ClusterConfig> generator() {
        return List.of(ClusterConfig.defaultBuilder().setTypes(Set.of(Type.KRAFT)).setServerProperties(Map.of("offsets.topic.num.partitions", "1")).setServerProperties(Map.of("offsets.topic.replication.factor", "1")).setBrokerSecurityProtocol(SecurityProtocol.SASL_PLAINTEXT).setControllerSecurityProtocol(SecurityProtocol.SASL_PLAINTEXT).build());
    }

    private static AccessControlEntry createAccessControlEntry(String str, AclOperation aclOperation) {
        return new AccessControlEntry(new KafkaPrincipal("User", str).toString(), "*", aclOperation, AclPermissionType.ALLOW);
    }

    private Map<String, Object> createAdminConfig(String str, String str2) {
        HashMap hashMap = new HashMap();
        hashMap.put("security.protocol", SecurityProtocol.SASL_PLAINTEXT.name);
        hashMap.put("sasl.mechanism", "PLAIN");
        hashMap.put("sasl.jaas.config", String.format("org.apache.kafka.common.security.plain.PlainLoginModule required username=\"%s\" password=\"%s\";", str, str2));
        return hashMap;
    }

    private void setupSecurity(ClusterInstance clusterInstance) throws ExecutionException, InterruptedException {
        Admin admin = clusterInstance.admin(createAdminConfig(JaasTestUtils.KAFKA_PLAIN_ADMIN, "plain-admin-secret"));
        try {
            ResourcePattern resourcePattern = new ResourcePattern(ResourceType.TOPIC, "*", PatternType.LITERAL);
            admin.createAcls(List.of(new AclBinding(CLUSTER_PATTERN, ALTER_ENTRY), new AclBinding(resourcePattern, DESCRIBE_ENTRY))).all().get();
            clusterInstance.waitAcls(new AclBindingFilter(CLUSTER_PATTERN.toFilter(), AccessControlEntryFilter.ANY), Set.of(ALTER_ENTRY));
            clusterInstance.waitAcls(new AclBindingFilter(resourcePattern.toFilter(), AccessControlEntryFilter.ANY), Set.of(DESCRIBE_ENTRY));
            if (admin != null) {
                admin.close();
            }
        } catch (Throwable th) {
            if (admin != null) {
                try {
                    admin.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @ClusterTemplate("generator")
    public void testConsumerGroupAuthorizedOperations(ClusterInstance clusterInstance) throws ExecutionException, InterruptedException {
        setupSecurity(clusterInstance);
        Admin admin = clusterInstance.admin(createAdminConfig(JaasTestUtils.KAFKA_PLAIN_ADMIN, "plain-admin-secret"));
        try {
            Admin admin2 = clusterInstance.admin(createAdminConfig("plain-user1", "plain-user1-secret"));
            try {
                admin.createTopics(List.of(new NewTopic("topic1", 1, (short) 1)));
                clusterInstance.waitForTopic("topic1", 1);
                TopicPartition topicPartition = new TopicPartition("topic1", 0);
                OffsetAndMetadata offsetAndMetadata = new OffsetAndMetadata(0L);
                admin.alterConsumerGroupOffsets(GROUP1, Map.of(topicPartition, offsetAndMetadata)).all().get();
                admin.alterConsumerGroupOffsets(GROUP2, Map.of(topicPartition, offsetAndMetadata)).all().get();
                admin.alterConsumerGroupOffsets(GROUP3, Map.of(topicPartition, offsetAndMetadata)).all().get();
                AccessControlEntry createAccessControlEntry = createAccessControlEntry("plain-user1", AclOperation.ALL);
                AccessControlEntry createAccessControlEntry2 = createAccessControlEntry("plain-user1", AclOperation.DESCRIBE);
                AccessControlEntry createAccessControlEntry3 = createAccessControlEntry("plain-user1", AclOperation.DELETE);
                admin2.createAcls(List.of(new AclBinding(GROUP1_PATTERN, createAccessControlEntry), new AclBinding(GROUP2_PATTERN, createAccessControlEntry2), new AclBinding(GROUP3_PATTERN, createAccessControlEntry3))).all();
                clusterInstance.waitAcls(new AclBindingFilter(GROUP1_PATTERN.toFilter(), AccessControlEntryFilter.ANY), Set.of(createAccessControlEntry));
                clusterInstance.waitAcls(new AclBindingFilter(GROUP2_PATTERN.toFilter(), AccessControlEntryFilter.ANY), Set.of(createAccessControlEntry2));
                clusterInstance.waitAcls(new AclBindingFilter(GROUP3_PATTERN.toFilter(), AccessControlEntryFilter.ANY), Set.of(createAccessControlEntry3));
                DescribeConsumerGroupsResult describeConsumerGroups = admin2.describeConsumerGroups(List.of(GROUP1, GROUP2, GROUP3), new DescribeConsumerGroupsOptions().includeAuthorizedOperations(true));
                Assertions.assertEquals(3, describeConsumerGroups.describedGroups().size());
                Assertions.assertEquals(AclEntry.supportedOperations(ResourceType.GROUP), ((ConsumerGroupDescription) ((KafkaFuture) describeConsumerGroups.describedGroups().get(GROUP1)).get()).authorizedOperations());
                Assertions.assertEquals(Set.of(AclOperation.DESCRIBE), ((ConsumerGroupDescription) ((KafkaFuture) describeConsumerGroups.describedGroups().get(GROUP2)).get()).authorizedOperations());
                Assertions.assertEquals(Set.of(AclOperation.DESCRIBE, AclOperation.DELETE), ((ConsumerGroupDescription) ((KafkaFuture) describeConsumerGroups.describedGroups().get(GROUP3)).get()).authorizedOperations());
                if (admin2 != null) {
                    admin2.close();
                }
                if (admin != null) {
                    admin.close();
                }
            } catch (Throwable th) {
                if (admin2 != null) {
                    try {
                        admin2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (Throwable th3) {
            if (admin != null) {
                try {
                    admin.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    @ClusterTemplate("generator")
    public void testClusterAuthorizedOperations(ClusterInstance clusterInstance) throws ExecutionException, InterruptedException {
        setupSecurity(clusterInstance);
        Admin admin = clusterInstance.admin(createAdminConfig("plain-user1", "plain-user1-secret"));
        try {
            Assertions.assertNull((Set) admin.describeCluster().authorizedOperations().get());
            Assertions.assertEquals(Set.of(AclOperation.DESCRIBE, AclOperation.ALTER), (Set) admin.describeCluster(new DescribeClusterOptions().includeAuthorizedOperations(true)).authorizedOperations().get());
            if (admin != null) {
                admin.close();
            }
            Admin admin2 = clusterInstance.admin(createAdminConfig(JaasTestUtils.KAFKA_PLAIN_ADMIN, "plain-admin-secret"));
            try {
                AccessControlEntry createAccessControlEntry = createAccessControlEntry("plain-user1", AclOperation.ALL);
                admin2.createAcls(List.of(new AclBinding(CLUSTER_PATTERN, createAccessControlEntry))).all().get();
                clusterInstance.waitAcls(new AclBindingFilter(CLUSTER_PATTERN.toFilter(), AccessControlEntryFilter.ANY), Set.of(createAccessControlEntry, ALTER_ENTRY));
                if (admin2 != null) {
                    admin2.close();
                }
                admin2 = clusterInstance.admin(createAdminConfig("plain-user1", "plain-user1-secret"));
                try {
                    Assertions.assertEquals(AclEntry.supportedOperations(ResourceType.CLUSTER), (Set) admin2.describeCluster(new DescribeClusterOptions().includeAuthorizedOperations(true)).authorizedOperations().get());
                    if (admin2 != null) {
                        admin2.close();
                    }
                } finally {
                }
            } finally {
            }
        } finally {
            if (admin != null) {
                try {
                    admin.close();
                } catch (Throwable th) {
                    th.addSuppressed(th);
                }
            }
        }
    }

    @ClusterTemplate("generator")
    public void testTopicAuthorizedOperations(ClusterInstance clusterInstance) throws ExecutionException, InterruptedException {
        setupSecurity(clusterInstance);
        Admin admin = clusterInstance.admin(createAdminConfig(JaasTestUtils.KAFKA_PLAIN_ADMIN, "plain-admin-secret"));
        try {
            admin.createTopics(List.of(new NewTopic("topic1", 1, (short) 1), new NewTopic("topic2", 1, (short) 1)));
            clusterInstance.waitForTopic("topic1", 1);
            clusterInstance.waitForTopic("topic2", 1);
            if (admin != null) {
                admin.close();
            }
            Admin admin2 = clusterInstance.admin(createAdminConfig("plain-user1", "plain-user1-secret"));
            try {
                Map map = (Map) admin2.describeTopics(List.of("topic1", "topic2")).allTopicNames().get();
                Assertions.assertNull(((TopicDescription) map.get("topic1")).authorizedOperations());
                Assertions.assertNull(((TopicDescription) map.get("topic2")).authorizedOperations());
                Map map2 = (Map) admin2.describeTopics(List.of("topic1", "topic2"), new DescribeTopicsOptions().includeAuthorizedOperations(true)).allTopicNames().get();
                Assertions.assertEquals(Set.of(AclOperation.DESCRIBE), ((TopicDescription) map2.get("topic1")).authorizedOperations());
                Assertions.assertEquals(Set.of(AclOperation.DESCRIBE), ((TopicDescription) map2.get("topic2")).authorizedOperations());
                if (admin2 != null) {
                    admin2.close();
                }
                admin2 = clusterInstance.admin(createAdminConfig(JaasTestUtils.KAFKA_PLAIN_ADMIN, "plain-admin-secret"));
                try {
                    ResourcePattern resourcePattern = new ResourcePattern(ResourceType.TOPIC, "topic1", PatternType.LITERAL);
                    ResourcePattern resourcePattern2 = new ResourcePattern(ResourceType.TOPIC, "topic2", PatternType.LITERAL);
                    AccessControlEntry createAccessControlEntry = createAccessControlEntry("plain-user1", AclOperation.ALL);
                    AccessControlEntry createAccessControlEntry2 = createAccessControlEntry("plain-user1", AclOperation.DELETE);
                    admin2.createAcls(List.of(new AclBinding(resourcePattern, createAccessControlEntry), new AclBinding(resourcePattern2, createAccessControlEntry2))).all().get();
                    clusterInstance.waitAcls(new AclBindingFilter(resourcePattern.toFilter(), AccessControlEntryFilter.ANY), Set.of(createAccessControlEntry));
                    clusterInstance.waitAcls(new AclBindingFilter(resourcePattern2.toFilter(), AccessControlEntryFilter.ANY), Set.of(createAccessControlEntry2));
                    if (admin2 != null) {
                        admin2.close();
                    }
                    admin2 = clusterInstance.admin(createAdminConfig("plain-user1", "plain-user1-secret"));
                    try {
                        Map map3 = (Map) admin2.describeTopics(List.of("topic1", "topic2"), new DescribeTopicsOptions().includeAuthorizedOperations(true)).allTopicNames().get();
                        Assertions.assertEquals(AclEntry.supportedOperations(ResourceType.TOPIC), ((TopicDescription) map3.get("topic1")).authorizedOperations());
                        Assertions.assertEquals(Set.of(AclOperation.DESCRIBE, AclOperation.DELETE), ((TopicDescription) map3.get("topic2")).authorizedOperations());
                        if (admin2 != null) {
                            admin2.close();
                        }
                    } finally {
                    }
                } finally {
                }
            } finally {
                if (admin2 != null) {
                    try {
                        admin2.close();
                    } catch (Throwable th) {
                        th.addSuppressed(th);
                    }
                }
            }
        } finally {
            if (admin != null) {
                try {
                    admin.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        }
    }
}
