package org.apache.kylin.rest.service;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.kylin.common.KylinConfig;
import org.apache.kylin.common.exception.KylinException;
import org.apache.kylin.common.exception.code.ErrorCodeServer;
import org.apache.kylin.common.msg.MsgPicker;
import org.apache.kylin.common.persistence.AclEntity;
import org.apache.kylin.common.persistence.RootPersistentEntity;
import org.apache.kylin.common.util.NLocalFileMetadataTestCase;
import org.apache.kylin.metadata.project.NProjectManager;
import org.apache.kylin.metadata.project.ProjectInstance;
import org.apache.kylin.metadata.user.ManagedUser;
import org.apache.kylin.rest.request.AccessRequest;
import org.apache.kylin.rest.request.GlobalAccessRequest;
import org.apache.kylin.rest.response.AccessEntryResponse;
import org.apache.kylin.rest.security.AclPermission;
import org.apache.kylin.rest.security.AclPermissionFactory;
import org.apache.kylin.rest.security.AclRecord;
import org.apache.kylin.rest.security.CompositeAclPermission;
import org.apache.kylin.rest.security.MutableAclRecord;
import org.apache.kylin.rest.security.UserAclManager;
import org.apache.kylin.rest.service.AclServiceTest;
import org.apache.kylin.rest.util.AclEvaluate;
import org.apache.kylin.rest.util.AclPermissionUtil;
import org.apache.kylin.rest.util.AclUtil;
import org.apache.kylin.rest.util.SpringContext;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Ignore;
import org.junit.Rule;
import org.junit.Test;
import org.junit.jupiter.api.Assertions;
import org.junit.rules.ExpectedException;
import org.junit.runner.RunWith;
import org.mockito.ArgumentMatchers;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.powermock.api.mockito.PowerMockito;
import org.powermock.core.classloader.annotations.PrepareForTest;
import org.powermock.modules.junit4.PowerMockRunner;
import org.springframework.context.ApplicationContext;
import org.springframework.security.acls.domain.BasePermission;
import org.springframework.security.acls.domain.GrantedAuthoritySid;
import org.springframework.security.acls.domain.PermissionFactory;
import org.springframework.security.acls.domain.PrincipalSid;
import org.springframework.security.acls.model.AccessControlEntry;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.acls.model.PermissionGrantingStrategy;
import org.springframework.security.acls.model.Sid;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.test.util.ReflectionTestUtils;

@PrepareForTest({SpringContext.class, UserGroupInformation.class, KylinConfig.class, NProjectManager.class})
@RunWith(PowerMockRunner.class)
/* loaded from: input_file:org/apache/kylin/rest/service/AccessServiceTest.class */
public class AccessServiceTest extends NLocalFileMetadataTestCase {

    @InjectMocks
    AccessService accessService = (AccessService) Mockito.spy(AccessService.class);

    @InjectMocks
    ProjectService projectService = (ProjectService) Mockito.spy(ProjectService.class);

    @InjectMocks
    private IUserGroupService userGroupService = (IUserGroupService) Mockito.spy(IUserGroupService.class);

    @Mock
    AclService aclService = (AclService) Mockito.spy(AclService.class);

    @Mock
    UserService userService = (UserService) Mockito.spy(UserService.class);

    @Mock
    UserAclService userAclService = (UserAclService) Mockito.spy(UserAclService.class);

    @Mock
    AclEvaluate aclEvaluate = (AclEvaluate) Mockito.spy(AclEvaluate.class);

    @Mock
    AclUtil aclUtil = (AclUtil) Mockito.spy(AclUtil.class);

    @Rule
    public ExpectedException thrown = ExpectedException.none();

    @Before
    public void setup() throws IOException {
        PowerMockito.mockStatic(SpringContext.class, new Class[0]);
        PowerMockito.mockStatic(UserGroupInformation.class, new Class[0]);
        PowerMockito.when(UserGroupInformation.getCurrentUser()).thenReturn((UserGroupInformation) Mockito.mock(UserGroupInformation.class));
        overwriteSystemProp("HADOOP_USER_NAME", "root");
        createTestMetadata(new String[]{"src/test/resources/ut_access"});
        SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("ADMIN", "ADMIN", new String[]{"ROLE_ADMIN"}));
        ReflectionTestUtils.setField(this.aclEvaluate, "aclUtil", this.aclUtil);
        ReflectionTestUtils.setField(this.userAclService, "userService", this.userService);
        getTestConfig().setProperty("kylin.security.acl.data-permission-default-enabled", "false");
        ManagedUser managedUser = new ManagedUser("ADMIN", "KYLIN", false, Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN"), new SimpleGrantedAuthority("ROLE_ANALYST"), new SimpleGrantedAuthority("ROLE_MODELER")));
        ManagedUser managedUser2 = new ManagedUser("MODELER", "MODELER", false, Arrays.asList(new SimpleGrantedAuthority("ROLE_ANALYST"), new SimpleGrantedAuthority("ROLE_MODELER")));
        ManagedUser managedUser3 = new ManagedUser("ANALYST", "ANALYST", false, Arrays.asList(new SimpleGrantedAuthority("ROLE_ANALYST")));
        Mockito.when(this.userService.listUsers()).thenReturn(Lists.newArrayList(new ManagedUser[]{managedUser, managedUser2, managedUser3}));
        Mockito.when(this.userService.loadUserByUsername("ADMIN")).thenReturn(managedUser);
        Mockito.when(this.userService.loadUserByUsername("MODELER")).thenReturn(managedUser2);
        Mockito.when(this.userService.loadUserByUsername("ANALYST")).thenReturn(managedUser3);
        Mockito.when(Boolean.valueOf(this.userService.userExists("ADMIN"))).thenReturn(true);
        Mockito.when(Boolean.valueOf(this.userService.userExists("MODELER"))).thenReturn(true);
        Mockito.when(Boolean.valueOf(this.userService.userExists("ANALYST"))).thenReturn(true);
        Mockito.when(this.userService.getGlobalAdmin()).thenReturn(Sets.newHashSet(new String[]{"ADMIN"}));
        Mockito.when(this.userService.listSuperAdminUsers()).thenReturn(Lists.newArrayList(new String[]{"ADMIN"}));
        PowerMockito.when(SpringContext.getApplicationContext()).thenReturn((ApplicationContext) PowerMockito.mock(ApplicationContext.class));
        PowerMockito.when(SpringContext.getBean(PermissionFactory.class)).thenReturn(PowerMockito.mock(PermissionFactory.class));
        PowerMockito.when(SpringContext.getBean(PermissionGrantingStrategy.class)).thenReturn(PowerMockito.mock(PermissionGrantingStrategy.class));
    }

    @After
    public void tearDown() {
        cleanupTestMetadata();
    }

    @Test
    public void testBasics() throws IOException {
        Assert.assertNotNull(this.accessService.getSid("ADMIN", true));
        Assert.assertNotNull(AclPermissionFactory.getPermissions());
        AclServiceTest.MockAclEntity mockAclEntity = new AclServiceTest.MockAclEntity("test-domain-object");
        this.accessService.clean(mockAclEntity, true);
        Assert.assertThrows(KylinException.class, () -> {
            this.accessService.clean((AclEntity) null, true);
        });
        AclServiceTest.MockAclEntity mockAclEntity2 = new AclServiceTest.MockAclEntity("attached-domain-object");
        this.accessService.clean(mockAclEntity2, true);
        Assert.assertNull(this.accessService.getAcl(mockAclEntity));
        MutableAclRecord init = this.accessService.init(mockAclEntity, AclPermission.ADMINISTRATION);
        Assert.assertEquals("ADMIN", init.getOwner().getPrincipal());
        Assert.assertEquals(1L, this.accessService.generateAceResponses(init).size());
        AccessEntryResponse accessEntryResponse = (AccessEntryResponse) this.accessService.generateAceResponses(init).get(0);
        Assert.assertTrue(CollectionUtils.isEmpty(accessEntryResponse.getExtPermissions()));
        checkResult(mockAclEntity, accessEntryResponse);
        Sid sid = this.accessService.getSid("MODELER", true);
        MutableAclRecord grant = this.accessService.grant(mockAclEntity, AclPermission.ADMINISTRATION, sid);
        Assert.assertEquals(2L, this.accessService.generateAceResponses(grant).size());
        Assert.assertThrows(KylinException.class, () -> {
            this.accessService.grant((AclEntity) null, AclPermission.ADMINISTRATION, sid);
        });
        Assert.assertThrows(KylinException.class, () -> {
            this.accessService.grant(mockAclEntity, (Permission) null, sid);
        });
        Assert.assertThrows(KylinException.class, () -> {
            this.accessService.grant(mockAclEntity, AclPermission.ADMINISTRATION, (Sid) null);
        });
        int i = 0;
        for (AccessControlEntry accessControlEntry : grant.getEntries()) {
            if (accessControlEntry.getSid().getPrincipal().equals("MODELER")) {
                i = ((Integer) accessControlEntry.getId()).intValue();
                Assert.assertSame(AclPermission.ADMINISTRATION, accessControlEntry.getPermission());
            }
        }
        MutableAclRecord update = this.accessService.update(mockAclEntity, i, AclPermission.READ);
        Assert.assertEquals(2L, this.accessService.generateAceResponses(update).size());
        for (AccessControlEntry accessControlEntry2 : update.getEntries()) {
            if (accessControlEntry2.getSid().getPrincipal().equals("MODELER")) {
                i = ((Integer) accessControlEntry2.getId()).intValue();
                Assert.assertSame(AclPermission.READ, accessControlEntry2.getPermission());
            }
        }
        for (AccessControlEntry accessControlEntry3 : this.accessService.update(mockAclEntity, i, new CompositeAclPermission(AclPermission.READ, Arrays.asList(AclPermission.DATA_QUERY))).getEntries()) {
            if (accessControlEntry3.getSid().getPrincipal().equals("MODELER")) {
                i = ((Integer) accessControlEntry3.getId()).intValue();
                Assert.assertTrue(AclPermissionUtil.hasQueryPermission(accessControlEntry3.getPermission()));
            }
        }
        this.accessService.clean(mockAclEntity2, true);
        Assert.assertNull(this.accessService.getAcl(mockAclEntity2));
        this.accessService.init(mockAclEntity2, AclPermission.ADMINISTRATION);
        this.accessService.inherit(mockAclEntity2, mockAclEntity);
        Assert.assertThrows(KylinException.class, () -> {
            this.accessService.inherit((AclEntity) null, mockAclEntity);
        });
        Assert.assertThrows(KylinException.class, () -> {
            this.accessService.inherit(mockAclEntity2, (AclEntity) null);
        });
        MutableAclRecord acl = this.accessService.getAcl(mockAclEntity2);
        Assert.assertNotNull(acl.getParentAcl());
        Assert.assertEquals("test-domain-object", acl.getParentAcl().getObjectIdentity().getIdentifier());
        Assert.assertEquals(1L, acl.getEntries().size());
        Assert.assertEquals(1L, this.accessService.generateAceResponses(this.accessService.revoke(mockAclEntity, i)).size());
        this.accessService.clean(mockAclEntity, true);
        Assert.assertNull(this.accessService.getAcl(mockAclEntity));
        Assert.assertNull(this.accessService.getAcl(mockAclEntity2));
    }

    @Test
    public void testCompositeAclPermission() {
        Assert.assertNull(this.accessService.getAcl(new AclServiceTest.MockAclEntity("test-domain-object")));
        getTestConfig().setProperty("kylin.security.acl.data-permission-default-enabled", "false");
        Sid sid = this.accessService.getSid("MODELER", true);
        Assert.assertEquals(32L, ((AccessControlEntry) this.accessService.grant(r0, AclPermission.MANAGEMENT, sid).getEntries().get(0)).getPermission().getMask());
        getTestConfig().setProperty("kylin.security.acl.data-permission-default-enabled", "true");
        Assert.assertEquals(160L, ((AccessControlEntry) this.accessService.grant(r0, AclPermission.MANAGEMENT, sid).getEntries().get(0)).getPermission().getMask());
    }

    @Test
    public void testUpdateExtensionPermissionException() {
        Assert.assertThrows(MsgPicker.getMsg().getAclDomainNotFound(), KylinException.class, () -> {
            this.accessService.updateExtensionPermission((AclEntity) null, (AccessRequest) null);
        });
        UserAclManager.getInstance(getTestConfig()).deletePermission("admin", AclPermission.DATA_QUERY);
        Mockito.when(this.userService.listSuperAdminUsers()).thenReturn(Collections.emptyList());
        Assert.assertThrows(MsgPicker.getMsg().getAclPermissionRequired(), KylinException.class, () -> {
            this.accessService.updateExtensionPermission(new AclRecord(), (AccessRequest) null);
        });
    }

    private void checkResult(AclEntity aclEntity, AccessEntryResponse accessEntryResponse) {
        Assert.assertNotNull(accessEntryResponse.getId());
        Assert.assertSame(AclPermission.ADMINISTRATION, accessEntryResponse.getPermission());
        Assert.assertEquals("ADMIN", accessEntryResponse.getSid().getPrincipal());
        Assert.assertThrows(KylinException.class, () -> {
            this.accessService.init(aclEntity, AclPermission.ADMINISTRATION);
        });
    }

    @Test
    public void testBatchGrantAndRevokeException() {
        AclServiceTest.MockAclEntity mockAclEntity = new AclServiceTest.MockAclEntity("batch-grant");
        HashMap hashMap = new HashMap();
        Assert.assertThrows(KylinException.class, () -> {
            this.accessService.batchGrant((AclEntity) null, hashMap);
        });
        Assert.assertThrows(KylinException.class, () -> {
            this.accessService.batchGrant(mockAclEntity, (Map) null);
        });
    }

    @Test
    public void testBatchGrantAndRevoke() {
        AclServiceTest.MockAclEntity mockAclEntity = new AclServiceTest.MockAclEntity("batch-grant");
        getTestConfig().setProperty("kylin.security.acl.data-permission-default-enabled", "true");
        ArrayList newArrayList = Lists.newArrayList();
        for (int i = 0; i < 10; i++) {
            newArrayList.add(createAccessRequest("u" + i, "ADMINISTRATION"));
        }
        this.accessService.batchGrant(newArrayList, mockAclEntity);
        List entries = this.accessService.getAcl(mockAclEntity).getEntries();
        Assert.assertEquals(10L, entries.size());
        for (int i2 = 0; i2 < entries.size(); i2++) {
            Assert.assertEquals(new PrincipalSid("u" + i2), ((AccessControlEntry) entries.get(i2)).getSid());
            Assert.assertTrue(AclPermissionUtil.hasQueryPermission(((AccessControlEntry) entries.get(0)).getPermission()));
        }
        this.accessService.batchRevoke(mockAclEntity, newArrayList);
        Assert.assertEquals(0L, this.accessService.getAcl(mockAclEntity).getEntries().size());
        getTestConfig().setProperty("kylin.security.acl.data-permission-default-enabled", "false");
        ArrayList newArrayList2 = Lists.newArrayList(new AccessRequest[]{createAccessRequest("u1", "ADMINISTRATION")});
        this.accessService.batchGrant(newArrayList2, mockAclEntity);
        List entries2 = this.accessService.getAcl(mockAclEntity).getEntries();
        Assert.assertEquals(1L, entries2.size());
        Assert.assertEquals(new PrincipalSid("u1"), ((AccessControlEntry) entries2.get(0)).getSid());
        Assertions.assertFalse(AclPermissionUtil.hasQueryPermission(((AccessControlEntry) entries2.get(0)).getPermission()));
        this.accessService.batchRevoke(mockAclEntity, newArrayList2);
        this.accessService.batchGrant(Lists.newArrayList(new AccessRequest[]{createAccessRequest("u1", "")}), mockAclEntity);
        Assert.assertEquals(0L, this.accessService.getAcl(mockAclEntity).getEntries().size());
        this.accessService.batchGrant(mockAclEntity, Collections.singletonMap(new GrantedAuthoritySid("ALL_USERS"), new CompositeAclPermission(AclPermission.MANAGEMENT, Arrays.asList(AclPermission.DATA_QUERY))));
        Assert.assertTrue(AclPermissionUtil.isSpecificPermissionInProject("ALL_USERS", AclPermission.DATA_QUERY, this.accessService.getAcl(mockAclEntity)));
        this.thrown.expect(KylinException.class);
        this.accessService.batchRevoke((AclEntity) null, Collections.emptyList());
    }

    private AccessRequest createAccessRequest(String str, String str2) {
        AccessRequest accessRequest = new AccessRequest();
        accessRequest.setSid(str);
        accessRequest.setPrincipal(true);
        accessRequest.setPermission(str2);
        return accessRequest;
    }

    @Test
    @Ignore("just ignore")
    public void test100000Entries() throws JsonProcessingException {
        AclServiceTest.MockAclEntity mockAclEntity = new AclServiceTest.MockAclEntity("100000Entries");
        long currentTimeMillis = System.currentTimeMillis();
        for (int i = 0; i < 100000; i++) {
            if (i % 10 == 0) {
                long currentTimeMillis2 = System.currentTimeMillis();
                System.out.println((currentTimeMillis2 - currentTimeMillis) + " ms for last 10 entries, total " + i);
                currentTimeMillis = currentTimeMillis2;
            }
            this.accessService.grant(mockAclEntity, AclPermission.OPERATION, this.accessService.getSid("USER" + i, true));
        }
    }

    @Test(expected = KylinException.class)
    public void testCheckGlobalAdminException() throws IOException {
        this.accessService.checkGlobalAdmin("ADMIN");
    }

    @Test
    public void testCheckGlobalAdmin() throws IOException {
        this.accessService.checkGlobalAdmin("ANALYSIS");
        this.accessService.checkGlobalAdmin(Arrays.asList("ANALYSIS", "MODEL", "AAA"));
    }

    @Test
    public void testGenerateAceResponsesByFuzzMatching() throws Exception {
        AclServiceTest.MockAclEntity mockAclEntity = new AclServiceTest.MockAclEntity("test");
        HashMap hashMap = new HashMap();
        hashMap.put(new PrincipalSid("ADMIN"), AclPermission.ADMINISTRATION);
        hashMap.put(new PrincipalSid("admin"), AclPermission.ADMINISTRATION);
        hashMap.put(new PrincipalSid("ANALYST"), AclPermission.ADMINISTRATION);
        hashMap.put(new GrantedAuthoritySid("ROLE_ADMIN"), AclPermission.ADMINISTRATION);
        hashMap.put(new GrantedAuthoritySid("role_ADMIN"), AclPermission.ADMINISTRATION);
        this.accessService.batchGrant(mockAclEntity, hashMap);
        Mockito.when(Boolean.valueOf(this.userGroupService.exists(Mockito.anyString()))).thenReturn(true);
        Mockito.when(Boolean.valueOf(this.userService.userExists(Mockito.anyString()))).thenReturn(true);
        List generateAceResponsesByFuzzMatching = this.accessService.generateAceResponsesByFuzzMatching(mockAclEntity, "", false);
        Assert.assertEquals(2L, generateAceResponsesByFuzzMatching.size());
        Assert.assertEquals("ANALYST", ((AccessEntryResponse) generateAceResponsesByFuzzMatching.get(0)).getSid().getPrincipal());
    }

    @Test
    public void testGenerateAceResponsesByFuzzMatchingWhenHasSameNameUserAndGroupName() throws Exception {
        AclServiceTest.MockAclEntity mockAclEntity = new AclServiceTest.MockAclEntity("test");
        HashMap hashMap = new HashMap();
        Mockito.when(Boolean.valueOf(this.userGroupService.exists("ADMIN"))).thenReturn(true);
        hashMap.put(new GrantedAuthoritySid("grp1"), AclPermission.ADMINISTRATION);
        hashMap.put(new GrantedAuthoritySid("ADMIN"), AclPermission.ADMINISTRATION);
        hashMap.put(new PrincipalSid("ADMIN"), AclPermission.ADMINISTRATION);
        this.accessService.batchGrant(mockAclEntity, hashMap);
        List generateAceResponsesByFuzzMatching = this.accessService.generateAceResponsesByFuzzMatching(mockAclEntity, "", false);
        Assert.assertEquals(1L, generateAceResponsesByFuzzMatching.size());
        Assert.assertEquals("ADMIN", ((AccessEntryResponse) generateAceResponsesByFuzzMatching.get(0)).getSid().getGrantedAuthority());
    }

    @Test
    public void testGetProjectAdminUsers() throws IOException {
        Assert.assertEquals(1L, this.accessService.getProjectAdminUsers("default").size());
    }

    @Test
    public void testGetProjectManagementUsers() throws IOException {
        Assert.assertEquals(1L, this.accessService.getProjectManagementUsers("default").size());
    }

    @Test
    public void testHasProjectAdminPermission() {
        this.aclService.upsertAce(AclPermissionUtil.getProjectAcl("default"), new PrincipalSid("czw9976"), AclPermission.ADMINISTRATION);
        SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("czw9976", "czw9976", new String[]{"ROLE_MODELER"}));
        Assert.assertTrue(AclPermissionUtil.hasProjectAdminPermission("default", this.accessService.getCurrentUserGroups()));
        SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("ADMIN", "ADMIN", new String[]{"ROLE_ADMIN"}));
    }

    @Test
    public void testCleanupProjectAcl() throws Exception {
        AclServiceTest.MockAclEntity mockAclEntity = new AclServiceTest.MockAclEntity("test");
        HashMap hashMap = new HashMap();
        hashMap.put(new PrincipalSid("ADMIN"), AclPermission.ADMINISTRATION);
        hashMap.put(new PrincipalSid("admin"), AclPermission.ADMINISTRATION);
        hashMap.put(new PrincipalSid("ANALYST"), AclPermission.ADMINISTRATION);
        hashMap.put(new GrantedAuthoritySid("ROLE_ADMIN"), AclPermission.ADMINISTRATION);
        hashMap.put(new GrantedAuthoritySid("role_ADMIN"), AclPermission.ADMINISTRATION);
        this.accessService.batchGrant(mockAclEntity, hashMap);
        this.projectService.cleanupAcl();
        Assert.assertEquals(0L, this.accessService.generateAceResponsesByFuzzMatching(mockAclEntity, "", false).size());
    }

    @Test
    public void testRevokeWithSid() {
        AclServiceTest.MockAclEntity mockAclEntity = new AclServiceTest.MockAclEntity("test-domain-object");
        this.accessService.init(mockAclEntity, AclPermission.ADMINISTRATION);
        this.accessService.grant(mockAclEntity, AclPermission.ADMINISTRATION, this.accessService.getSid("MODELER", true));
        Assert.assertEquals(1L, this.accessService.generateAceResponses(this.accessService.revokeWithSid(mockAclEntity, "MODELER", true)).size());
        this.thrown.expect(KylinException.class);
        this.accessService.revokeWithSid((AclEntity) null, "MODELER", true);
    }

    @Test
    public void testGetCurrentUserPermissionInProject() throws IOException {
        Assert.assertEquals("ADMIN", this.accessService.getCurrentUserPermissionInProject("default"));
    }

    @Test
    public void testAdminUserExtPermissionInProject() {
        Assert.assertTrue(this.accessService.getUserNormalExtPermissions("default").contains("DATA_QUERY"));
        GlobalAccessRequest globalAccessRequest = new GlobalAccessRequest();
        globalAccessRequest.setUsername("ADMIN");
        globalAccessRequest.setProject("default");
        Mockito.when(this.userService.listSuperAdminUsers()).thenReturn(Collections.emptyList());
        ((UserAclManager) this.userAclService.getManager(UserAclManager.class)).addDataQueryProject("ADMIN", "default");
        Mockito.when(Boolean.valueOf(this.userAclService.canAdminUserQuery(Mockito.anyString()))).thenReturn(false);
        Assert.assertTrue(this.accessService.getUserNormalExtPermissions("default").contains("DATA_QUERY"));
    }

    @Test
    public void testExtPermissionInProject() {
        AclServiceTest.MockAclEntity mockAclEntity = new AclServiceTest.MockAclEntity("test-domain-object");
        this.accessService.init(mockAclEntity, AclPermission.ADMINISTRATION);
        int i = 0;
        for (AccessControlEntry accessControlEntry : this.accessService.grant(mockAclEntity, AclPermission.ADMINISTRATION, this.accessService.getSid("MODELER", true)).getEntries()) {
            if (accessControlEntry.getSid().getPrincipal().equals("MODELER")) {
                i = ((Integer) accessControlEntry.getId()).intValue();
                Assert.assertSame(AclPermission.ADMINISTRATION, accessControlEntry.getPermission());
            }
        }
        AccessRequest accessRequest = new AccessRequest();
        accessRequest.setSid("MODELER");
        accessRequest.setPrincipal(true);
        accessRequest.setAccessEntryId(Integer.valueOf(i));
        accessRequest.setExtPermissions(Collections.singletonList("DATA_QUERY"));
        MutableAclRecord updateExtensionPermission = this.accessService.updateExtensionPermission(mockAclEntity, accessRequest);
        Assert.assertEquals(2L, this.accessService.generateAceResponses(updateExtensionPermission).size());
        for (AccessControlEntry accessControlEntry2 : updateExtensionPermission.getEntries()) {
            if (accessControlEntry2.getSid().getPrincipal().equals("MODELER")) {
                ((Integer) accessControlEntry2.getId()).intValue();
                Assertions.assertInstanceOf(CompositeAclPermission.class, accessControlEntry2.getPermission());
                Assert.assertTrue(accessControlEntry2.getPermission().getExtPermissions().contains(AclPermission.DATA_QUERY));
            }
        }
        AccessRequest accessRequest2 = new AccessRequest();
        accessRequest2.setSid("MODELER");
        accessRequest2.setPrincipal(true);
        accessRequest2.setExtPermissions(Collections.emptyList());
        MutableAclRecord updateExtensionPermission2 = this.accessService.updateExtensionPermission(mockAclEntity, accessRequest2);
        Assert.assertEquals(2L, this.accessService.generateAceResponses(updateExtensionPermission2).size());
        for (AccessControlEntry accessControlEntry3 : updateExtensionPermission2.getEntries()) {
            if (accessControlEntry3.getSid().getPrincipal().equals("MODELER")) {
                Assert.assertNotEquals(CompositeAclPermission.class, accessControlEntry3.getPermission().getClass());
            }
        }
        this.accessService.updateExtensionPermission(mockAclEntity, accessRequest);
        Assert.assertTrue(this.accessService.getUserNormalExtPermissions("test-domain-object", "MODELER").contains(128));
        PowerMockito.mockStatic(KylinConfig.class, new Class[0]);
        PowerMockito.mockStatic(NProjectManager.class, new Class[0]);
        KylinConfig kylinConfig = (KylinConfig) Mockito.mock(KylinConfig.class);
        NProjectManager nProjectManager = (NProjectManager) Mockito.mock(NProjectManager.class);
        ProjectInstance projectInstance = (ProjectInstance) Mockito.mock(ProjectInstance.class);
        PowerMockito.when(KylinConfig.getInstanceFromEnv()).thenReturn(kylinConfig);
        PowerMockito.when(NProjectManager.getInstance((KylinConfig) ArgumentMatchers.any())).thenReturn(nProjectManager);
        Mockito.when(nProjectManager.getProject(ArgumentMatchers.anyString())).thenReturn(projectInstance);
        Mockito.when(projectInstance.getUuid()).thenReturn("test-domain-object");
        Assert.assertTrue(this.accessService.getUserNormalExtPermissions("test-domain-object").contains("DATA_QUERY"));
    }

    @Test
    public void testGetGrantedProjectsOfUser() throws IOException {
        Assert.assertEquals(28L, this.accessService.getGrantedProjectsOfUser("ADMIN").size());
    }

    @Test
    public void testGetGrantedProjectsOfUserOrGroup() throws IOException {
        Assert.assertEquals(28L, this.accessService.getGrantedProjectsOfUserOrGroup("ADMIN", true).size());
        Assert.assertEquals(0L, this.accessService.getGrantedProjectsOfUserOrGroup("ANALYST", true).size());
        addGroupAndGrantPermission("ADMIN_GROUP", AclPermission.ADMINISTRATION);
        Mockito.when(Boolean.valueOf(this.userGroupService.exists("ADMIN_GROUP"))).thenReturn(true);
        Assert.assertEquals(1L, this.accessService.getGrantedProjectsOfUserOrGroup("ADMIN_GROUP", false).size());
        addGroupAndGrantPermission("MANAGEMENT_GROUP", AclPermission.MANAGEMENT);
        Mockito.when(Boolean.valueOf(this.userGroupService.exists("MANAGEMENT_GROUP"))).thenReturn(true);
        Assert.assertEquals(1L, this.accessService.getGrantedProjectsOfUserOrGroup("MANAGEMENT_GROUP", false).size());
        this.userGroupService.addGroup("NORMAL_GROUP");
        Mockito.when(Boolean.valueOf(this.userGroupService.exists("NORMAL_GROUP"))).thenReturn(true);
        Assert.assertEquals(0L, this.accessService.getGrantedProjectsOfUserOrGroup("NORMAL_GROUP", false).size());
        this.thrown.expectMessage("Operation failed, user:[nouser] not exists, please add it first");
        this.accessService.getGrantedProjectsOfUser("nouser");
    }

    @Test
    public void testGetGrantedProjectsOfUserOrGroupWithNotExistGroup() throws IOException {
        this.thrown.expectMessage(ErrorCodeServer.USER_GROUP_NOT_EXIST.getMsg(new Object[]{"nogroup"}));
        this.accessService.getGrantedProjectsOfUserOrGroup("nogroup", false);
    }

    private void addGroupAndGrantPermission(String str, Permission permission) throws IOException {
        RootPersistentEntity aclEntity = this.accessService.getAclEntity("ProjectInstance", NProjectManager.getInstance(getTestConfig()).getProject("default").getUuid());
        this.userGroupService.addGroup(str);
        this.accessService.grant(aclEntity, permission, this.accessService.getSid(str, false));
    }

    @Test
    public void testCheckAccessRequestList() throws IOException {
        Mockito.when(this.userGroupService.getAllUserGroups()).thenReturn(Arrays.asList("ALL_USERS", "MANAGEMENT"));
        ArrayList arrayList = new ArrayList();
        AccessRequest accessRequest = new AccessRequest();
        accessRequest.setAccessEntryId(0);
        accessRequest.setPermission("MANAGEMENT");
        accessRequest.setSid("ANALYST");
        accessRequest.setPrincipal(true);
        arrayList.add(accessRequest);
        this.accessService.checkAccessRequestList(arrayList);
        AccessRequest accessRequest2 = new AccessRequest();
        accessRequest2.setAccessEntryId(0);
        accessRequest2.setPermission("ADMIN");
        accessRequest2.setSid("ADMIN");
        accessRequest2.setPrincipal(true);
        arrayList.add(accessRequest2);
        this.thrown.expectMessage("You cannot add,modify or remove the system administrator’s rights");
        this.accessService.checkAccessRequestList(arrayList);
    }

    @Test
    public void testCheckSid() throws IOException {
        this.accessService.checkSid(new ArrayList());
        this.thrown.expectMessage("User/Group name should not be empty.");
        ArrayList arrayList = new ArrayList();
        AccessRequest accessRequest = new AccessRequest();
        accessRequest.setAccessEntryId(0);
        accessRequest.setPermission("MANAGEMENT");
        accessRequest.setSid("ANALYST");
        accessRequest.setPrincipal(true);
        arrayList.add(accessRequest);
        this.accessService.checkSid(arrayList);
        Mockito.when(this.userGroupService.getAllUserGroups()).thenReturn(Arrays.asList("ALL_USERS", "MANAGEMENT"));
        this.accessService.checkSid("ADMIN", true);
        this.thrown.expectMessage("User/Group name should not be empty.");
        this.accessService.checkSid("", true);
    }

    @Test
    public void testCheckEmptySid() {
        this.accessService.checkSidNotEmpty("ADMIN", true);
        this.thrown.expectMessage("User/Group name should not be empty.");
        this.accessService.checkSidNotEmpty("", true);
    }

    @Test
    public void testCheckSidWithEmptyUser() throws IOException {
        this.thrown.expectMessage("User/Group name should not be empty.");
        this.accessService.checkSid("", false);
    }

    @Test
    public void testCheckSidWithNotExistUser() throws IOException {
        this.thrown.expectMessage("Operation failed, user:[nouser] not exists, please add it first");
        this.accessService.checkSid("nouser", true);
    }

    @Test
    public void testCheckSidWithNotExistGroup() throws IOException {
        this.thrown.expectMessage(ErrorCodeServer.USER_GROUP_NOT_EXIST.getMsg(new Object[]{"nogroup"}));
        this.accessService.checkSid("nogroup", false);
    }

    @Test
    public void testIsGlobalAdmin() throws IOException {
        Assert.assertTrue(this.accessService.isGlobalAdmin("ADMIN"));
        Assert.assertFalse(this.accessService.isGlobalAdmin("ANALYST"));
    }

    @Test
    public void testGetGroupsOfCurrentUser() {
        Assert.assertEquals(4L, this.accessService.getGroupsOfCurrentUser().size());
    }

    @Test
    public void testGetProjectUsersAndGroups() throws IOException {
        Mockito.when(this.userService.getGlobalAdmin()).thenReturn(Sets.newHashSet(new String[]{"ADMIN", "CCL6911"}));
        Assert.assertTrue(this.userService.getGlobalAdmin().contains("CCL6911"));
        Map projectUsersAndGroups = this.accessService.getProjectUsersAndGroups(this.accessService.getAclEntity("ProjectInstance", "1eaca32a-a33e-4b69-83dd-0bb8b1f8c91b"));
        Assert.assertEquals(2L, ((List) projectUsersAndGroups.get("user")).size());
        Assert.assertEquals(1L, ((List) projectUsersAndGroups.get("group")).size());
        Assert.assertTrue(((List) projectUsersAndGroups.get("user")).contains("ADMIN"));
        Assert.assertTrue(((List) projectUsersAndGroups.get("group")).contains("ROLE_ADMIN"));
    }

    @Test
    public void testAclWithUnNaturalOrder() {
        RootPersistentEntity aclEntity = this.accessService.getAclEntity("ProjectInstance", "1eaca32a-a33e-4b69-83dd-0bb8b1f8c91b");
        checkEntries(this.accessService.getAcl(aclEntity).getEntries());
        List entries = this.accessService.grant(aclEntity, BasePermission.ADMINISTRATION, this.accessService.getSid("atest1", true)).getEntries();
        Assert.assertEquals(7L, entries.size());
        Assert.assertEquals(BasePermission.ADMINISTRATION, ((AccessControlEntry) entries.get(5)).getPermission());
        Assertions.assertFalse(AclPermissionUtil.hasQueryPermission(((AccessControlEntry) entries.get(5)).getPermission()));
        Assert.assertEquals("ADL6911", ((AccessControlEntry) entries.get(0)).getSid().getGrantedAuthority());
        Assert.assertEquals("BDL6911", ((AccessControlEntry) entries.get(1)).getSid().getGrantedAuthority());
        Assert.assertEquals("aCL6911", ((AccessControlEntry) entries.get(2)).getSid().getGrantedAuthority());
        Assert.assertEquals("ACZ5815", ((AccessControlEntry) entries.get(3)).getSid().getPrincipal());
        Assert.assertEquals("CCL6911", ((AccessControlEntry) entries.get(4)).getSid().getPrincipal());
        Assert.assertEquals("atest1", ((AccessControlEntry) entries.get(5)).getSid().getPrincipal());
        Assert.assertEquals("czw9976", ((AccessControlEntry) entries.get(6)).getSid().getPrincipal());
        MutableAclRecord revoke = this.accessService.revoke(aclEntity, 6);
        Assert.assertThrows(KylinException.class, () -> {
            this.accessService.revoke((AclEntity) null, 6);
        });
        checkAcl(revoke.getEntries());
    }

    @Test
    public void testAclWithUnNaturalOrderUpdate() throws IOException {
        RootPersistentEntity aclEntity = this.accessService.getAclEntity("ProjectInstance", "1eaca32a-a33e-4b69-83dd-0bb8b1f8c91b");
        Mockito.when(Boolean.valueOf(this.userService.userExists(Mockito.anyString()))).thenReturn(true);
        Mockito.when(Boolean.valueOf(this.userGroupService.exists(Mockito.anyString()))).thenReturn(true);
        checkEntries(this.accessService.getAcl(aclEntity).getEntries());
        Assert.assertEquals(BasePermission.ADMINISTRATION, ((AccessControlEntry) this.accessService.grant(aclEntity, BasePermission.ADMINISTRATION, this.accessService.getSid("atest1", true)).getEntries().get(5)).getPermission());
        List entries = this.accessService.update(aclEntity, 5, BasePermission.READ).getEntries();
        Assert.assertEquals("ADL6911", ((AccessControlEntry) entries.get(0)).getSid().getGrantedAuthority());
        Assert.assertEquals("BDL6911", ((AccessControlEntry) entries.get(1)).getSid().getGrantedAuthority());
        Assert.assertEquals("aCL6911", ((AccessControlEntry) entries.get(2)).getSid().getGrantedAuthority());
        Assert.assertEquals("ACZ5815", ((AccessControlEntry) entries.get(3)).getSid().getPrincipal());
        Assert.assertEquals("CCL6911", ((AccessControlEntry) entries.get(4)).getSid().getPrincipal());
        Assert.assertEquals("atest1", ((AccessControlEntry) entries.get(5)).getSid().getPrincipal());
        Assert.assertEquals(BasePermission.READ, ((AccessControlEntry) entries.get(5)).getPermission());
        MutableAclRecord update = this.accessService.update(aclEntity, 1, new CompositeAclPermission(BasePermission.ADMINISTRATION, Arrays.asList(AclPermission.DATA_QUERY)));
        List entries2 = update.getEntries();
        Assert.assertTrue(AclPermissionUtil.hasQueryPermission(((AccessControlEntry) entries2.get(1)).getPermission()));
        Assert.assertTrue(AclPermissionUtil.hasExtPermission(((AccessControlEntry) entries2.get(1)).getPermission()));
        Assert.assertEquals(144L, ((AccessControlEntry) entries2.get(1)).getPermission().getMask());
        Assert.assertEquals(BasePermission.ADMINISTRATION, AclPermissionUtil.convertToBasePermission(((AccessControlEntry) entries2.get(1)).getPermission()));
        Assert.assertTrue(AclPermissionUtil.convertToCompositePermission(((AccessControlEntry) entries2.get(1)).getPermission()).getExtPermissions().contains(AclPermission.DATA_QUERY));
        Assert.assertEquals(AclPermission.DATA_QUERY, ((AccessEntryResponse) this.accessService.generateAceResponses(update).get(1)).getExtPermissions().get(0));
        Assert.assertThrows(KylinException.class, () -> {
            this.accessService.update((AclEntity) null, 5, AclPermission.DATA_QUERY);
        });
        Assert.assertThrows(KylinException.class, () -> {
            this.accessService.update(aclEntity, 5, (Permission) null);
        });
    }

    private void checkAcl(List<AccessControlEntry> list) {
        Assert.assertEquals(6L, list.size());
        Assert.assertEquals("ADL6911", list.get(0).getSid().getGrantedAuthority());
        Assert.assertEquals("BDL6911", list.get(1).getSid().getGrantedAuthority());
        Assert.assertEquals("aCL6911", list.get(2).getSid().getGrantedAuthority());
        Assert.assertEquals("ACZ5815", list.get(3).getSid().getPrincipal());
        Assert.assertEquals("CCL6911", list.get(4).getSid().getPrincipal());
        Assert.assertEquals("atest1", list.get(5).getSid().getPrincipal());
    }

    private void checkEntries(List<AccessControlEntry> list) {
        Assert.assertEquals(6L, list.size());
        Assert.assertEquals("ADL6911", list.get(0).getSid().getGrantedAuthority());
        Assert.assertEquals("BDL6911", list.get(1).getSid().getGrantedAuthority());
        Assert.assertEquals("aCL6911", list.get(2).getSid().getGrantedAuthority());
        Assert.assertEquals("ACZ5815", list.get(3).getSid().getPrincipal());
        Assert.assertEquals("CCL6911", list.get(4).getSid().getPrincipal());
        Assert.assertEquals("czw9976", list.get(5).getSid().getPrincipal());
    }

    @Test
    public void testSetPermissions() {
        AccessEntryResponse accessEntryResponse = new AccessEntryResponse("1L", new PrincipalSid("user1"), BasePermission.ADMINISTRATION, true);
        CompositeAclPermission compositeAclPermission = new CompositeAclPermission(AclPermission.MANAGEMENT);
        compositeAclPermission.addExtPermission(AclPermission.DATA_QUERY);
        Assert.assertTrue(compositeAclPermission.getExtMasks().contains(Integer.valueOf(AclPermission.DATA_QUERY.getMask())));
        accessEntryResponse.setPermission(compositeAclPermission);
        Assert.assertEquals(AclPermission.MANAGEMENT, accessEntryResponse.getPermission());
        Assert.assertTrue(accessEntryResponse.getExtPermissions().contains(AclPermission.DATA_QUERY));
    }

    @Test
    public void testBatchCheckSidWithEmptyGroup() throws IOException {
        this.thrown.expectMessage("User/Group name should not be empty.");
        this.accessService.batchCheckSid("", false, (Collection) null);
    }

    @Test
    public void testBatchCheckSidWithEmptyUser() throws IOException {
        this.thrown.expectMessage("User/Group name should not be empty.");
        this.accessService.batchCheckSid("", true, (Collection) null);
    }

    @Test
    public void testBatchCheckSidWithEmptyAllGroups() throws IOException {
        this.thrown.expectMessage("User/Group name should not be empty.");
        this.accessService.batchCheckSid("group1", false, (Collection) null);
    }

    @Test
    public void testBatchCheckSidWithNotExistUser() throws IOException {
        this.thrown.expectMessage("Operation failed, user:[nouser] not exists, please add it first");
        this.accessService.batchCheckSid("nouser", true, (Collection) null);
    }

    @Test
    public void testBatchCheckSidWithNotExistGroup() throws IOException {
        this.thrown.expectMessage(ErrorCodeServer.USER_GROUP_NOT_EXIST.getMsg(new Object[]{"nogroup"}));
        this.accessService.batchCheckSid("nogroup", false, Arrays.asList("group1", "group2"));
    }
}
