package org.apache.kylin.rest.service;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.kylin.common.exception.KylinException;
import org.apache.kylin.common.msg.MsgPicker;
import org.apache.kylin.metadata.epoch.EpochManager;
import org.apache.kylin.metadata.user.ManagedUser;
import org.apache.kylin.rest.request.GlobalAccessRequest;
import org.apache.kylin.rest.request.GlobalBatchAccessRequest;
import org.apache.kylin.rest.response.UserAccessEntryResponse;
import org.apache.kylin.rest.security.AclPermission;
import org.apache.kylin.rest.security.UserAclManager;
import org.apache.kylin.rest.util.AclEvaluate;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.test.util.ReflectionTestUtils;

/* loaded from: input_file:org/apache/kylin/rest/service/UserAclServiceTest.class */
public class UserAclServiceTest extends ServiceTestBase {

    @Autowired
    @Qualifier("userService")
    UserService userService;

    @Mock
    protected UserAclService userAclService = (UserAclService) Mockito.spy(new UserAclService());

    @Mock
    AclEvaluate aclEvaluate = (AclEvaluate) Mockito.spy(new AclEvaluate());

    @Rule
    public ExpectedException thrown = ExpectedException.none();

    @Override // org.apache.kylin.rest.service.ServiceTestBase
    @Before
    public void setup() {
        super.setup();
        getTestConfig().setProperty("kylin.security.acl.data-permission-default-enabled", "true");
        ReflectionTestUtils.setField(this.userAclService, "userService", this.userService);
        ReflectionTestUtils.setField(this.aclEvaluate, "userAclService", this.userAclService);
    }

    @Test
    public void testCreateUser() {
        getTestConfig().setProperty("kylin.security.acl.data-permission-default-enabled", "false");
        if (!this.userService.userExists("ADMIN1")) {
            this.userService.createUser(new ManagedUser("ADMIN1", "ADMIN1", false, Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN"))));
        }
        this.userAclService.deleteUserAcl("ADMIN1");
        this.userAclService.revokeUserAclPermission("ADMIN1", "DATA_QUERY");
        Assert.assertFalse(this.userAclService.hasUserAclPermission("ADMIN1", AclPermission.DATA_QUERY));
        this.userAclService.grantUserAclPermission("ADMIN1", "DATA_QUERY");
        Assert.assertTrue(this.userAclService.hasUserAclPermission("ADMIN1", AclPermission.DATA_QUERY));
        Assert.assertEquals(2L, this.userAclService.listUserAcl().size());
        this.userAclService.revokeUserAclPermission("ADMIN1", "DATA_QUERY");
        Assert.assertFalse(this.userAclService.hasUserAclPermission("ADMIN1", AclPermission.DATA_QUERY));
        GlobalAccessRequest globalAccessRequest = new GlobalAccessRequest();
        globalAccessRequest.setUsername("ADMIN1");
        globalAccessRequest.setProject("default");
        this.userAclService.addProjectToUserAcl(globalAccessRequest, "DATA_QUERY");
        this.aclEvaluate.checkProjectQueryPermission("default");
        Assert.assertTrue(this.userAclService.hasUserAclPermissionInProject(globalAccessRequest.getUsername(), globalAccessRequest.getProject()));
        this.userAclService.deleteProjectFromUserAcl(globalAccessRequest, "DATA_QUERY");
        Assert.assertFalse(this.userAclService.hasUserAclPermissionInProject(globalAccessRequest.getUsername(), globalAccessRequest.getProject()));
        ReflectionTestUtils.setField(this.userAclService, "userService", new KylinUserService() { // from class: org.apache.kylin.rest.service.UserAclServiceTest.1
            public List<String> listSuperAdminUsers() {
                return Arrays.asList("ADMIN", "ADMIN1", "ADMIN2");
            }
        });
        Assert.assertEquals(3L, this.userAclService.listUserAcl().size());
        Assert.assertTrue(((UserAccessEntryResponse) this.userAclService.listUserAcl().get(0)).getExtPermissions().contains("DATA_QUERY"));
        Assert.assertTrue(((UserAccessEntryResponse) this.userAclService.listUserAcl().get(1)).getExtPermissions().contains("DATA_QUERY"));
        Assert.assertTrue(((UserAccessEntryResponse) this.userAclService.listUserAcl().get(2)).getExtPermissions().contains("DATA_QUERY"));
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage(MsgPicker.getMsg().getModifyPermissionOfSuperAdminFailed());
        this.userAclService.grantUserAclPermission("admin", "DATA_QUERY");
    }

    @Test
    public void testGetAllUsersHasGlobalPermission() {
        ReflectionTestUtils.setField(this.userAclService, "userService", new KylinUserService() { // from class: org.apache.kylin.rest.service.UserAclServiceTest.2
            public List<String> listAdminUsers() {
                throw new IOException("test");
            }
        });
        Assert.assertTrue(this.userAclService.listUserAcl().isEmpty());
    }

    @Test
    public void testGrantUserAclExceptions() {
        Assert.assertThrows(KylinException.class, () -> {
            this.userAclService.grantUserAclPermission("ADMIN", "DATA_QUERY");
        });
    }

    @Test
    public void testRevokeUserAclExceptions() {
        Assert.assertThrows(KylinException.class, () -> {
            this.userAclService.revokeUserAclPermission("ADMIN", "DATA_QUERY");
        });
    }

    @Test
    public void testCheckAclPermission() {
        Assert.assertThrows(IllegalArgumentException.class, () -> {
            ReflectionTestUtils.invokeMethod(this.userAclService, "checkAclPermission", new Object[]{"", ""});
        });
        Assert.assertThrows(MsgPicker.getMsg().getModifyPermissionOfSuperAdminFailed(), KylinException.class, () -> {
            ReflectionTestUtils.invokeMethod(this.userAclService, "checkAclPermission", new Object[]{"admin", "DATA_QUERY"});
        });
        ReflectionTestUtils.setField(this.userAclService, "userService", new KylinUserService() { // from class: org.apache.kylin.rest.service.UserAclServiceTest.3
            public List<String> listSuperAdminUsers() {
                return Collections.emptyList();
            }
        });
        Assert.assertThrows(MsgPicker.getMsg().getModifyOwnPermissionFailed(), KylinException.class, () -> {
            ReflectionTestUtils.invokeMethod(this.userAclService, "checkAclPermission", new Object[]{"admin", "DATA_QUERY"});
        });
        ((UserAclManager) this.userAclService.getManager(UserAclManager.class)).addPermission("admin", AclPermission.DATA_QUERY);
        Assert.assertThrows(MsgPicker.getMsg().getGrantPermissionFailedByNonSystemAdmin(), KylinException.class, () -> {
            ReflectionTestUtils.invokeMethod(this.userAclService, "checkAclPermission", new Object[]{"test", "DATA_QUERY"});
        });
        ReflectionTestUtils.setField(this.userAclService, "userService", this.userService);
    }

    @Test
    public void testCheckAclPermissionException() {
        ReflectionTestUtils.setField(this.userAclService, "userService", new KylinUserService() { // from class: org.apache.kylin.rest.service.UserAclServiceTest.4
            public List<String> listSuperAdminUsers() {
                return Collections.emptyList();
            }
        });
        ((UserAclManager) this.userAclService.getManager(UserAclManager.class)).deletePermission("admin", AclPermission.DATA_QUERY);
        Assert.assertTrue(this.userAclService.listUserAcl().stream().allMatch(userAccessEntryResponse -> {
            return CollectionUtils.isEmpty(userAccessEntryResponse.getExtPermissions());
        }));
        Assert.assertThrows(MsgPicker.getMsg().getGrantPermissionFailedByIllegalAuthorizingUser(), KylinException.class, () -> {
            ReflectionTestUtils.invokeMethod(this.userAclService, "checkLoginUserPermission", new Object[0]);
        });
        Assert.assertThrows(MsgPicker.getMsg().getGrantPermissionFailedByIllegalAuthorizingUser(), KylinException.class, () -> {
            ReflectionTestUtils.invokeMethod(this.userAclService, "checkLoginUserPermissionInPrj", new Object[]{"default"});
        });
        Assert.assertFalse(this.userAclService.hasUserAclPermissionInProject("default"));
        Assert.assertThrows(AccessDeniedException.class, () -> {
            ReflectionTestUtils.invokeMethod(this.userAclService, "checkAdminUserPermission", new Object[]{"default"});
        });
        Assert.assertThrows(AccessDeniedException.class, () -> {
            ReflectionTestUtils.invokeMethod(this.aclEvaluate, "checkProjectQueryPermission", new Object[]{"default"});
        });
    }

    @Test
    public void testCheckAdminUser() {
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage(MsgPicker.getMsg().getEmptySid());
        ReflectionTestUtils.invokeMethod(this.userAclService, "checkAdminUser", new Object[]{""});
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage(String.format(Locale.ROOT, MsgPicker.getMsg().getOperationFailedByUserNotExist(), "test_not"));
        ReflectionTestUtils.invokeMethod(this.userAclService, "checkAdminUser", new Object[]{"test_not"});
        this.thrown.expect(KylinException.class);
        this.thrown.expectMessage(MsgPicker.getMsg().getGrantPermissionFailedByNonSystemAdmin());
        ReflectionTestUtils.invokeMethod(this.userAclService, "checkAdminUser", new Object[]{"test"});
    }

    @Test
    public void testUpdateGlobalPermission() {
        if (!this.userService.userExists("ADMIN1")) {
            this.userService.createUser(new ManagedUser("ADMIN1", "ADMIN1", false, Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN"))));
        }
        this.userAclService.grantUserAclPermission("ADMIN1", "DATA_QUERY");
        Assert.assertTrue(this.userAclService.hasUserAclPermission("ADMIN1", AclPermission.DATA_QUERY));
        UserDetails loadUserByUsername = this.userService.loadUserByUsername("ADMIN1");
        loadUserByUsername.getAuthorities().remove(new SimpleGrantedAuthority("ROLE_ADMIN"));
        this.userService.updateUser(loadUserByUsername);
        Assert.assertFalse(this.userAclService.hasUserAclPermission("ADMIN1", AclPermission.DATA_QUERY));
        Assert.assertFalse(((UserAclManager) this.userAclService.getManager(UserAclManager.class)).exists("admin1"));
        if (!this.userService.userExists("ADMIN2")) {
            this.userService.createUser(new ManagedUser("ADMIN2", "ADMIN2", false, Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN"))));
        }
        this.userAclService.deleteUserAcl("ADMIN2");
        this.userAclService.updateUserAclPermission(this.userService.loadUserByUsername("ADMIN2"), AclPermission.DATA_QUERY);
        Assert.assertTrue(this.userAclService.hasUserAclPermission("ADMIN2", AclPermission.DATA_QUERY));
        getTestConfig().setProperty("kylin.security.acl.data-permission-default-enabled", "false");
        if (!this.userService.userExists("ADMIN3")) {
            this.userService.createUser(new ManagedUser("ADMIN3", "ADMIN3", false, Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN"))));
        }
        this.userAclService.updateUserAclPermission(this.userService.loadUserByUsername("ADMIN3"), AclPermission.DATA_QUERY);
        Assert.assertFalse(this.userAclService.hasUserAclPermission("ADMIN3", AclPermission.DATA_QUERY));
    }

    @Test
    public void testDeleteUser() {
        getTestConfig().setProperty("kylin.security.acl.data-permission-default-enabled", "false");
        if (!this.userService.userExists("ADMIN4")) {
            this.userService.createUser(new ManagedUser("ADMIN4", "ADMIN4", false, Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN"))));
        }
        Assert.assertFalse(this.userAclService.hasUserAclPermission("ADMIN4", AclPermission.DATA_QUERY));
        this.userService.deleteUser("ADMIN4");
        Assert.assertFalse(((UserAclManager) this.userAclService.getManager(UserAclManager.class)).exists("ADMIN4"));
        getTestConfig().setProperty("kylin.security.acl.data-permission-default-enabled", "true");
        if (!this.userService.userExists("ADMIN4")) {
            this.userService.createUser(new ManagedUser("ADMIN4", "ADMIN4", false, Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN"))));
        }
        Assert.assertTrue(this.userAclService.hasUserAclPermission("ADMIN4", AclPermission.DATA_QUERY));
        this.userService.deleteUser("ADMIN4");
        Assert.assertFalse(((UserAclManager) this.userAclService.getManager(UserAclManager.class)).exists("ADMIN4"));
    }

    @Test
    public void testSyncAdminUserAcl() {
        EpochManager.getInstance().tryUpdateEpoch("_global", true);
        this.userAclService.syncAdminUserAcl();
        Assert.assertTrue(this.userAclService.hasUserAclPermission("admin", AclPermission.DATA_QUERY));
    }

    @Test
    public void testSuperAdmin() {
        Assert.assertTrue(this.userAclService.isSuperAdmin(SecurityContextHolder.getContext().getAuthentication().getName()));
        Assert.assertTrue(this.userAclService.canAdminUserQuery());
        Mockito.when(Boolean.valueOf(this.userAclService.isSuperAdmin(Mockito.anyString()))).thenReturn(false);
        Assert.assertTrue(this.userAclService.canAdminUserQuery());
    }

    @Test
    public void testBatchGrantUserAclPermission() {
        getTestConfig().setProperty("kylin.security.acl.data-permission-default-enabled", "false");
        if (!this.userService.userExists("ADMIN1")) {
            this.userService.createUser(new ManagedUser("ADMIN1", "ADMIN1", false, Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN"))));
        }
        if (!this.userService.userExists("ADMIN2")) {
            this.userService.createUser(new ManagedUser("ADMIN2", "ADMIN2", false, Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN"))));
        }
        GlobalBatchAccessRequest globalBatchAccessRequest = new GlobalBatchAccessRequest();
        globalBatchAccessRequest.setUsernameList(Arrays.asList("ADMIN1", "ADMIN2"));
        this.userAclService.grantUserAclPermission(globalBatchAccessRequest, "DATA_QUERY");
        Assert.assertTrue(this.userAclService.hasUserAclPermission("ADMIN1", AclPermission.DATA_QUERY));
        Assert.assertTrue(this.userAclService.hasUserAclPermission("ADMIN2", AclPermission.DATA_QUERY));
    }
}
