package io.apicurio.registry.auth;

import io.apicurio.registry.AbstractResourceTestBase;
import io.apicurio.registry.rest.client.RegistryClient;
import io.apicurio.registry.rest.client.RegistryClientFactory;
import io.apicurio.registry.rest.v2.beans.RoleMapping;
import io.apicurio.registry.rest.v2.beans.Rule;
import io.apicurio.registry.rules.validity.ValidityLevel;
import io.apicurio.registry.types.RoleType;
import io.apicurio.registry.types.RuleType;
import io.apicurio.registry.utils.tests.AuthTestProfileWithLocalRoles;
import io.apicurio.rest.client.auth.Auth;
import io.apicurio.rest.client.auth.OidcAuth;
import io.apicurio.rest.client.auth.exception.ForbiddenException;
import io.quarkus.test.junit.QuarkusTest;
import io.quarkus.test.junit.TestProfile;
import java.io.ByteArrayInputStream;
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import java.util.Optional;
import java.util.UUID;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;

@QuarkusTest
@TestProfile(AuthTestProfileWithLocalRoles.class)
@Tag("docker")
/* loaded from: input_file:io/apicurio/registry/auth/AuthTestLocalRoles.class */
public class AuthTestLocalRoles extends AbstractResourceTestBase {
    private static final String TEST_CONTENT = "{\r\n    \"type\" : \"record\",\r\n    \"name\" : \"userInfo\",\r\n    \"namespace\" : \"my.example\",\r\n    \"fields\" : [{\"name\" : \"age\", \"type\" : \"int\"}]\r\n} ";

    @ConfigProperty(name = "registry.auth.token.endpoint")
    String authServerUrlConfigured;
    String noRoleClientId = "registry-api-no-role";
    String noRolePrincipalId = "service-account-registry-api-no-role";
    String adminClientId = "registry-api";
    final String groupId = "authTestGroupId";

    private RegistryClient createClient(Auth auth) {
        return RegistryClientFactory.create(this.registryV2ApiUrl, Collections.emptyMap(), auth);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // io.apicurio.registry.AbstractResourceTestBase
    public RegistryClient createRestClientV2() {
        return createClient(new OidcAuth(this.authServerUrlConfigured, this.adminClientId, "test1", Optional.empty()));
    }

    @Test
    public void testLocalRoles() throws Exception {
        RegistryClient createClient = createClient(new OidcAuth(this.authServerUrlConfigured, this.adminClientId, "test1", Optional.empty()));
        RegistryClient createClient2 = createClient(new OidcAuth(this.authServerUrlConfigured, this.noRoleClientId, "test1", Optional.empty()));
        Assertions.assertThrows(ForbiddenException.class, () -> {
            createClient2.listArtifactsInGroup("default");
        });
        Assertions.assertThrows(ForbiddenException.class, () -> {
            createClient2.createArtifact(getClass().getSimpleName(), UUID.randomUUID().toString(), new ByteArrayInputStream(TEST_CONTENT.getBytes(StandardCharsets.UTF_8)));
        });
        Assertions.assertThrows(ForbiddenException.class, () -> {
            Rule rule = new Rule();
            rule.setConfig(ValidityLevel.FULL.name());
            rule.setType(RuleType.VALIDITY);
            createClient2.createGlobalRule(rule);
        });
        createClient.listArtifactsInGroup("default");
        createClient.listGlobalRules();
        RoleMapping roleMapping = new RoleMapping();
        roleMapping.setPrincipalId(this.noRolePrincipalId);
        roleMapping.setRole(RoleType.READ_ONLY);
        createClient.createRoleMapping(roleMapping);
        createClient2.listArtifactsInGroup("default");
        Assertions.assertThrows(ForbiddenException.class, () -> {
            createClient2.createArtifact(getClass().getSimpleName(), UUID.randomUUID().toString(), new ByteArrayInputStream(TEST_CONTENT.getBytes(StandardCharsets.UTF_8)));
        });
        Assertions.assertThrows(ForbiddenException.class, () -> {
            Rule rule = new Rule();
            rule.setConfig(ValidityLevel.FULL.name());
            rule.setType(RuleType.VALIDITY);
            createClient2.createGlobalRule(rule);
        });
        createClient.updateRoleMapping(this.noRolePrincipalId, RoleType.DEVELOPER);
        createClient2.listArtifactsInGroup("default");
        createClient2.createArtifact(getClass().getSimpleName(), UUID.randomUUID().toString(), new ByteArrayInputStream(TEST_CONTENT.getBytes(StandardCharsets.UTF_8)));
        Assertions.assertThrows(ForbiddenException.class, () -> {
            Rule rule = new Rule();
            rule.setConfig(ValidityLevel.FULL.name());
            rule.setType(RuleType.VALIDITY);
            createClient2.createGlobalRule(rule);
        });
        createClient.updateRoleMapping(this.noRolePrincipalId, RoleType.ADMIN);
        createClient2.listArtifactsInGroup("default");
        createClient2.createArtifact(getClass().getSimpleName(), UUID.randomUUID().toString(), new ByteArrayInputStream(TEST_CONTENT.getBytes(StandardCharsets.UTF_8)));
        Rule rule = new Rule();
        rule.setConfig(ValidityLevel.FULL.name());
        rule.setType(RuleType.VALIDITY);
        createClient2.createGlobalRule(rule);
    }
}
