package com.e2eq.framework.security;

import com.e2eq.framework.model.persistent.security.Rule;
import com.e2eq.framework.model.persistent.security.UserProfile;
import com.e2eq.framework.model.securityrules.PrincipalContext;
import com.e2eq.framework.model.securityrules.ResourceContext;
import com.e2eq.framework.model.securityrules.RuleContext;
import com.e2eq.framework.model.securityrules.RuleEffect;
import com.e2eq.framework.model.securityrules.SecurityCheckResponse;
import com.e2eq.framework.model.securityrules.SecurityURI;
import com.e2eq.framework.model.securityrules.SecurityURIBody;
import com.e2eq.framework.model.securityrules.SecurityURIHeader;
import com.e2eq.framework.persistent.BaseRepoTest;
import com.e2eq.framework.util.IOCase;
import com.e2eq.framework.util.SecurityUtils;
import com.e2eq.framework.util.WildCardMatcher;
import dev.morphia.query.filters.Filter;
import io.quarkus.logging.Log;
import io.quarkus.test.junit.QuarkusTest;
import jakarta.inject.Inject;
import java.util.ArrayList;
import java.util.List;
import lombok.Generated;
import org.graalvm.polyglot.Context;
import org.graalvm.polyglot.Source;
import org.graalvm.polyglot.Value;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@QuarkusTest
/* loaded from: input_file:com/e2eq/framework/security/TestSecurity.class */
public class TestSecurity extends BaseRepoTest {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(TestSecurity.class);

    @Inject
    SecurityUtils securityUtils;

    @Test
    public void testWildCardMatcher() {
        boolean wildcardMatch = WildCardMatcher.wildcardMatch("SALESORDER:UPDATE:b2bi.0000000001.end2endlogic.salesOrder.0.34534534", "salesorder:update:b2bi.0000000001.end2endlogic.salesorder.0*", IOCase.INSENSITIVE);
        if (wildcardMatch) {
            Log.debug("Matches");
        } else {
            Log.error("Did not match");
        }
        Assertions.assertTrue(wildcardMatch);
    }

    @Test
    void testWildCardMatcherExactMatch() {
        boolean wildcardMatch = WildCardMatcher.wildcardMatch("user:security:userProfile:view:b2bi:0000000001:end2endlogic.com:0", "user:security:userProfile:view:b2bi:0000000001:end2endlogic.com:0", IOCase.INSENSITIVE);
        if (wildcardMatch) {
            Log.debug("Matches");
        } else {
            Log.error("Did not match");
        }
        Assertions.assertTrue(wildcardMatch);
    }

    @Test
    void testJavaScript() {
        PrincipalContext build = new PrincipalContext.Builder().withDataDomain(this.testUtils.getTestDataDomain()).withDefaultRealm(this.testUtils.getTestRealm()).withUserId(this.testUtils.getTestUserId()).withRoles(new String[]{"user"}).build();
        ResourceContext build2 = new ResourceContext.Builder().withArea("security").withFunctionalDomain("userProfile").withAction("view").build();
        Context build3 = Context.newBuilder(new String[0]).allowAllAccess(true).build();
        build3.getBindings("js").putMember("pcontext", build);
        build3.getBindings("js").putMember("rcontext", build2);
        Assertions.assertTrue(build3.eval("js", "rcontext.getFunctionalDomain() == 'userProfile' && rcontext.getAction() == 'view'").asBoolean());
    }

    @Test
    void testPython() {
        Context.Builder newBuilder = Context.newBuilder(new String[0]);
        newBuilder.allowAllAccess(true);
        Context build = newBuilder.build();
        build.eval(Source.create("python", "import polyglot\n@polyglot.export_value\ndef foo(externalInput):\n    print('Called with: ' + externalInput)\n    return 'Got output'\n\n"));
        Value member = build.getPolyglotBindings().getMember("foo");
        Assertions.assertTrue(member.canExecute());
        Assertions.assertEquals("Got output", member.execute(new Object[]{"myInput"}).asString());
    }

    @Test
    void testRuleContext() {
        RuleContext ruleContext = new RuleContext();
        SecurityURIHeader build = new SecurityURIHeader.Builder().withIdentity("admin").withArea("security").withFunctionalDomain("userProfile").withAction("view").build();
        Rule.Builder withFinalRule = new Rule.Builder().withName("admin can view  any userprofile").withSecurityURI(new SecurityURI(build, new SecurityURIBody.Builder().withOrgRefName(SecurityUtils.any).withAccountNumber(SecurityUtils.any).withRealm(SecurityUtils.any).withTenantId(SecurityUtils.any).withOwnerId(SecurityUtils.any).withDataSegment(SecurityUtils.any).build())).withEffect(RuleEffect.ALLOW).withPriority(Rule.DEFAULT_PRIORITY).withFinalRule(true);
        ruleContext.addRule(build, withFinalRule.build());
        SecurityURI securityURI = new SecurityURI(new SecurityURIHeader.Builder().withIdentity("user").withArea("security").withFunctionalDomain("userProfile").withAction(SecurityUtils.any).build(), new SecurityURIBody.Builder().withOrgRefName(SecurityUtils.any).withAccountNumber(SecurityUtils.any).withRealm(SecurityUtils.any).withTenantId(SecurityUtils.any).withOwnerId(SecurityUtils.any).withDataSegment(SecurityUtils.any).build());
        withFinalRule.withName("only able to act on your own userProfile").withSecurityURI(securityURI).withPriority(Rule.DEFAULT_PRIORITY + 11).withPostconditionScript("pcontext.getUserId() == rcontext.getOwnerId()").withAndFilterString("dataDomain.ownerId:${principalId}");
        ruleContext.addRule(securityURI.getHeader(), withFinalRule.build());
        String[] strArr = {"user", "admin"};
        PrincipalContext build2 = new PrincipalContext.Builder().withDefaultRealm(this.testUtils.getTestRealm()).withUserId(this.testUtils.getSystemUserId()).withRoles(new String[]{"admin"}).withDataDomain(this.testUtils.getSystemDataDomain()).build();
        PrincipalContext build3 = new PrincipalContext.Builder().withDefaultRealm(this.testUtils.getTestRealm()).withUserId(this.testUtils.getTestUserId()).withRoles(new String[]{"user"}).withDataDomain(this.testUtils.getSystemDataDomain()).build();
        ResourceContext build4 = new ResourceContext.Builder().withArea("security").withFunctionalDomain("userProfile").withAction("view").withResourceId("234232").withOwnerId("sysAdmin@system-com").build();
        ResourceContext build5 = new ResourceContext.Builder().withArea("security").withFunctionalDomain("userProfile").withAction("view").withResourceId("234233").withOwnerId(this.testUtils.getTestUserId()).build();
        ArrayList arrayList = new ArrayList();
        SecurityCheckResponse checkRules = ruleContext.checkRules(build2, build4);
        List<Filter> filters = ruleContext.getFilters(arrayList, build2, build4, UserProfile.class);
        logRuleResults("Testing system admin can view the system admin user profile with a default deny context", build2, build4, checkRules, filters);
        Assertions.assertTrue(checkRules.getMatchedRuleResults().size() == 1);
        Assertions.assertTrue(checkRules.getFinalEffect().equals(RuleEffect.ALLOW));
        Assertions.assertTrue(filters.isEmpty());
        Log.info("Test if mingardia is denied trying to view the system's profile with a default deny context'");
        SecurityCheckResponse checkRules2 = ruleContext.checkRules(build3, build4);
        arrayList.clear();
        List<Filter> filters2 = ruleContext.getFilters(arrayList, build3, build4, UserProfile.class);
        logRuleResults("Test if mingardia is denied trying to view the system's profile with a default deny context'", build3, build4, checkRules2, filters2);
        Assertions.assertTrue(checkRules2.getFinalEffect().equals(RuleEffect.DENY));
        Assertions.assertTrue(filters2.isEmpty());
        SecurityCheckResponse checkRules3 = ruleContext.checkRules(build3, build4, RuleEffect.ALLOW);
        arrayList.clear();
        logRuleResults("show that its really about the default not an explicit rule", build3, build4, checkRules3, ruleContext.getFilters(arrayList, build2, build4, UserProfile.class));
        Assertions.assertTrue(checkRules3.getFinalEffect().equals(RuleEffect.ALLOW));
        SecurityCheckResponse checkRules4 = ruleContext.checkRules(build3, build5);
        arrayList.clear();
        logRuleResults("show that its really about the default not an explicit rule", build3, build4, checkRules4, ruleContext.getFilters(arrayList, build3, build5, UserProfile.class));
        Assertions.assertTrue(checkRules4.getFinalEffect().equals(RuleEffect.ALLOW));
    }

    @Test
    public void testDefaultRuleContext() {
        String[] strArr = {"user", "admin"};
        PrincipalContext build = new PrincipalContext.Builder().withDefaultRealm(this.testUtils.getTestRealm()).withUserId(this.testUtils.getSystemUserId()).withRoles(new String[]{"admin"}).withDataDomain(this.testUtils.getSystemDataDomain()).build();
        PrincipalContext build2 = new PrincipalContext.Builder().withDefaultRealm(this.testUtils.getTestRealm()).withUserId(this.testUtils.getTestUserId()).withRoles(new String[]{"user"}).withDataDomain(this.testUtils.getTestDataDomain()).build();
        ResourceContext build3 = new ResourceContext.Builder().withArea("security").withFunctionalDomain("userProfile").withAction("view").withResourceId("234232").withOwnerId(this.testUtils.getSystemUserId()).build();
        ResourceContext build4 = new ResourceContext.Builder().withArea("security").withFunctionalDomain("userProfile").withAction("view").withResourceId("234233").withOwnerId(this.testUtils.getTestTenantId()).build();
        ArrayList arrayList = new ArrayList();
        RuleContext ruleContext = new RuleContext(this.securityUtils);
        ruleContext.ensureDefaultRules();
        SecurityCheckResponse checkRules = ruleContext.checkRules(build, build3);
        Assertions.assertTrue(checkRules.getFinalEffect().equals(RuleEffect.ALLOW));
        List<Filter> filters = ruleContext.getFilters(arrayList, build, build3, UserProfile.class);
        logRuleResults("Testing system admin can view the system admin user profile with a default deny context", build, build3, checkRules, filters);
        Assertions.assertTrue(!filters.isEmpty());
        filters.clear();
        SecurityCheckResponse checkRules2 = ruleContext.checkRules(build, build4);
        Assertions.assertTrue(checkRules2.getFinalEffect().equals(RuleEffect.ALLOW));
        List<Filter> filters2 = ruleContext.getFilters(filters, build, build3, UserProfile.class);
        logRuleResults("Testing system admin can view the system admin user profile with a default deny context", build, build3, checkRules2, filters2);
        Assertions.assertTrue(!filters2.isEmpty());
        filters2.clear();
        SecurityCheckResponse checkRules3 = ruleContext.checkRules(build2, build4);
        Assertions.assertTrue(checkRules3.getFinalEffect().equals(RuleEffect.ALLOW));
        List<Filter> filters3 = ruleContext.getFilters(filters2, build2, build4, UserProfile.class);
        logRuleResults("Testing system admin can view the system admin user profile with a default deny context", build2, build4, checkRules3, filters3);
        Assertions.assertTrue(!filters3.isEmpty());
    }

    public void logRuleResults(String str, PrincipalContext principalContext, ResourceContext resourceContext, SecurityCheckResponse securityCheckResponse, List<Filter> list) {
        Log.info("---------------------------------------------------------");
        Log.info(str);
        Log.info("Principal:" + principalContext.toString());
        Log.info("Resource:" + resourceContext.toString());
        Log.info("Matched rules:" + securityCheckResponse.getMatchedRuleResults().size());
        Log.info("Final Effect:" + String.valueOf(securityCheckResponse.getFinalEffect()));
        Log.info("Match Results:");
        securityCheckResponse.getMatchEvents().forEach(matchEvent -> {
            Log.info(matchEvent.toString());
        });
        if (list.isEmpty()) {
            Log.info("NoFilters");
        } else {
            Log.info("**** Filters:");
            list.forEach(filter -> {
                Log.info(filter.toString());
            });
        }
    }
}
