package com.vmware.xenon.common;

import com.vmware.xenon.common.Claims;
import com.vmware.xenon.common.Operation;
import com.vmware.xenon.common.Service;
import com.vmware.xenon.common.TaskState;
import com.vmware.xenon.common.TestServiceHost;
import com.vmware.xenon.common.test.AuthorizationHelper;
import com.vmware.xenon.common.test.QueryTestUtils;
import com.vmware.xenon.common.test.TestContext;
import com.vmware.xenon.common.test.TestProperty;
import com.vmware.xenon.common.test.VerificationHost;
import com.vmware.xenon.services.common.AuthorizationCacheUtils;
import com.vmware.xenon.services.common.AuthorizationContextService;
import com.vmware.xenon.services.common.ExampleService;
import com.vmware.xenon.services.common.GuestUserService;
import com.vmware.xenon.services.common.MinimalTestService;
import com.vmware.xenon.services.common.QueryTask;
import com.vmware.xenon.services.common.RoleService;
import com.vmware.xenon.services.common.UserGroupService;
import com.vmware.xenon.services.common.UserService;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.util.Arrays;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.function.Consumer;
import java.util.logging.Level;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:com/vmware/xenon/common/TestAuthorization.class */
public class TestAuthorization extends BasicTestCase {
    public int serviceCount = 10;
    private String userServicePath;
    private AuthorizationHelper authHelper;

    /* loaded from: input_file:com/vmware/xenon/common/TestAuthorization$AuthzStatefulService.class */
    public static class AuthzStatefulService extends StatefulService {

        /* loaded from: input_file:com/vmware/xenon/common/TestAuthorization$AuthzStatefulService$AuthzState.class */
        public static class AuthzState extends ServiceDocument {
            public String userLink;
        }

        public AuthzStatefulService() {
            super(AuthzState.class);
        }

        public void handleStart(Operation operation) {
            AuthzState authzState = (AuthzState) operation.getBody(AuthzState.class);
            Operation.AuthorizationContext authorizationContextForSubject = getAuthorizationContextForSubject(authzState.userLink);
            if (authorizationContextForSubject == null || !authorizationContextForSubject.getClaims().getSubject().equals(authzState.userLink)) {
                operation.fail(500);
            } else {
                operation.complete();
            }
        }
    }

    /* loaded from: input_file:com/vmware/xenon/common/TestAuthorization$AuthzStatelessService.class */
    public static class AuthzStatelessService extends StatelessService {
        public void handleRequest(Operation operation) {
            if (operation.getAction() == Service.Action.PATCH) {
                operation.complete();
            } else {
                super.handleRequest(operation);
            }
        }
    }

    @Override // com.vmware.xenon.common.BasicTestCase
    public void beforeHostStart(VerificationHost verificationHost) {
        verificationHost.setAuthorizationService(new AuthorizationContextService());
        verificationHost.setAuthorizationEnabled(true);
        CommandLineArgumentParser.parseFromProperties(this);
    }

    @Before
    public void enableTracing() throws Throwable {
        this.host.toggleOperationTracing(this.host.getUri(), true);
    }

    @After
    public void disableTracing() throws Throwable {
        this.host.toggleOperationTracing(this.host.getUri(), false);
    }

    @Before
    public void setupRoles() throws Throwable {
        this.host.setSystemAuthorizationContext();
        this.authHelper = new AuthorizationHelper(this.host);
        this.userServicePath = this.authHelper.createUserService(this.host, "jane@doe.com");
        this.authHelper.createRoles(this.host, "jane@doe.com");
        this.host.resetAuthorizationContext();
    }

    @Test
    public void statelessServiceAuthorization() throws Throwable {
        this.host.setSystemAuthorizationContext();
        String uuid = UUID.randomUUID().toString();
        this.authHelper.createRole(this.host, this.authHelper.getUserGroupLink(), this.authHelper.createResourceGroup(this.host, "stateless-service-group", QueryTask.Query.Builder.create().addFieldClause("documentSelfLink", TestServiceHost.C1RootUiService.SELF_LINK + uuid).build()), new HashSet(Arrays.asList(Service.Action.GET, Service.Action.POST, Service.Action.PATCH, Service.Action.DELETE)));
        this.host.resetAuthorizationContext();
        Operation.CompletionHandler completionHandler = (operation, th) -> {
            if (th == null || operation.getStatusCode() != 403) {
                this.host.failIteration(new IllegalStateException("Operation did not fail with proper status code"));
            } else {
                this.host.completeIteration();
            }
        };
        this.host.assumeIdentity(this.userServicePath);
        Operation createPost = Operation.createPost(UriUtils.buildUri(this.host, uuid));
        this.host.testStart(1L);
        createPost.setCompletion(this.host.getCompletion());
        this.host.startService(createPost, new AuthzStatelessService());
        this.host.testWait();
        this.host.testStart(1L);
        this.host.send(Operation.createDelete(createPost.getUri()).setCompletion(this.host.getCompletion()));
        this.host.testWait();
        this.host.resetAuthorizationContext();
        this.host.testStart(1L);
        Operation createPost2 = Operation.createPost(UriUtils.buildUri(this.host, uuid));
        createPost2.setCompletion(completionHandler);
        this.host.startService(createPost2, new AuthzStatelessService());
        this.host.testWait();
        this.host.assumeIdentity(this.userServicePath);
        Operation createPost3 = Operation.createPost(UriUtils.buildUri(this.host, uuid));
        this.host.testStart(1L);
        createPost3.setCompletion(this.host.getCompletion());
        this.host.startService(createPost3, new AuthzStatelessService());
        this.host.testWait();
        Operation createPatch = Operation.createPatch(UriUtils.buildUri(this.host, uuid));
        createPatch.setBody(new ServiceDocument());
        this.host.testStart(1L);
        createPatch.setCompletion(this.host.getCompletion());
        this.host.send(createPatch);
        this.host.testWait();
        this.host.resetAuthorizationContext();
        Operation createPatch2 = Operation.createPatch(UriUtils.buildUri(this.host, uuid));
        createPatch2.setBody(new ServiceDocument());
        this.host.testStart(1L);
        createPatch2.setCompletion(completionHandler);
        this.host.send(createPatch2);
        this.host.testWait();
    }

    @Test
    public void queryTasksDirectAndContinuous() throws Throwable {
        this.host.assumeIdentity(this.userServicePath);
        createExampleServices("jane");
        this.host.createAndWaitSimpleDirectQuery("documentAuthPrincipalLink", this.userServicePath, this.serviceCount, this.serviceCount);
        QueryTask build = QueryTask.Builder.create().setResultLimit(this.serviceCount / 2).build();
        build.querySpec.query = QueryTask.Query.Builder.create().addFieldClause("documentAuthPrincipalLink", this.userServicePath).build();
        URI createQueryTaskService = this.host.createQueryTaskService(build);
        this.host.waitFor("task not finished in time", () -> {
            QueryTask serviceState = this.host.getServiceState((EnumSet<TestProperty>) null, (Class<QueryTask>) QueryTask.class, createQueryTaskService);
            if (TaskState.isFailed(serviceState.taskInfo)) {
                throw new IllegalStateException("task failed");
            }
            if (!TaskState.isFinished(serviceState.taskInfo)) {
                return false;
            }
            build.taskInfo = serviceState.taskInfo;
            build.results = serviceState.results;
            return true;
        });
        TestContext testCreate = this.host.testCreate(1);
        this.host.send(Operation.createGet(UriUtils.buildUri(this.host, build.results.nextPageLink)).setCompletion(testCreate.getCompletion()));
        testCreate.await();
        int i = this.serviceCount;
        TestContext testCreate2 = testCreate(i);
        Consumer consumer = operation -> {
            operation.complete();
            String subject = operation.getAuthorizationContext().getClaims().getSubject();
            if (!this.userServicePath.equals(subject)) {
                testCreate2.fail(new IllegalStateException("Invalid auth subject in notification: " + subject));
            } else {
                this.host.log("Received authorized notification for index patch: %s", operation.toString());
                testCreate2.complete();
            }
        };
        QueryTask build2 = QueryTask.Builder.create().setQuery(QueryTask.Query.Builder.create().addKindFieldClause(ExampleService.ExampleServiceState.class).build()).build();
        URI startAndSubscribeToContinuousQuery = QueryTestUtils.startAndSubscribeToContinuousQuery(this.host.getTestRequestSender(), this.host, build2, consumer);
        this.host.setSystemAuthorizationContext();
        createExampleServices("jane");
        this.host.log("Waiting on continiuous query task notifications (%d)", Integer.valueOf(i));
        testCreate2.await();
        this.host.resetSystemAuthorizationContext();
        this.host.assumeIdentity(this.userServicePath);
        QueryTestUtils.stopContinuousQuerySubscription(this.host.getTestRequestSender(), this.host, startAndSubscribeToContinuousQuery, build2);
    }

    @Test
    public void contextPropagationOnScheduleAndRunContext() throws Throwable {
        this.host.assumeIdentity(this.userServicePath);
        Operation.AuthorizationContext authorizationContext = OperationContext.getAuthorizationContext();
        Runnable runnable = () -> {
            if (OperationContext.getAuthorizationContext().equals(authorizationContext)) {
                this.host.completeIteration();
            } else {
                this.host.failIteration(new IllegalStateException("Incorrect auth context obtained"));
            }
        };
        this.host.testStart(1L);
        this.host.schedule(runnable, 1L, TimeUnit.MILLISECONDS);
        this.host.testWait();
        this.host.testStart(1L);
        this.host.run(runnable);
        this.host.testWait();
    }

    @Test
    public void guestAuthorization() throws Throwable {
        OperationContext.setAuthorizationContext(this.host.getSystemAuthorizationContext());
        this.authHelper.createRole(this.host, this.authHelper.createUserGroup(this.host, "guest-user-group", QueryTask.Query.Builder.create().addFieldClause("documentSelfLink", GuestUserService.SELF_LINK).build()), this.authHelper.createResourceGroup(this.host, "guest-resource-group", QueryTask.Query.Builder.create().addFieldClause("documentKind", Utils.buildKind(ExampleService.ExampleServiceState.class)).addFieldClause("name", "guest").build()), new HashSet(Arrays.asList(Service.Action.GET, Service.Action.POST)));
        HashMap hashMap = new HashMap();
        hashMap.putAll(createExampleServices("jane"));
        hashMap.putAll(createExampleServices("guest"));
        OperationContext.setAuthorizationContext((Operation.AuthorizationContext) null);
        ServiceDocumentQueryResult[] serviceDocumentQueryResultArr = new ServiceDocumentQueryResult[1];
        Operation completion = Operation.createGet(UriUtils.buildUri(this.host, "/core/examples")).setCompletion((operation, th) -> {
            if (th != null) {
                this.host.failIteration(th);
            } else {
                serviceDocumentQueryResultArr[0] = (ServiceDocumentQueryResult) operation.getBody(ServiceDocumentQueryResult.class);
                this.host.completeIteration();
            }
        });
        this.host.testStart(1L);
        this.host.send(completion);
        this.host.testWait();
        assertAuthorizedServicesInResult("guest", hashMap, serviceDocumentQueryResultArr[0]);
    }

    @Test
    public void actionBasedAuthorization() throws Throwable {
        this.host.assumeIdentity(this.userServicePath);
        Map<URI, ExampleService.ExampleServiceState> createExampleServices = createExampleServices("jane");
        ServiceDocumentQueryResult[] serviceDocumentQueryResultArr = new ServiceDocumentQueryResult[1];
        Operation completion = Operation.createGet(UriUtils.buildUri(this.host, "/core/examples")).setCompletion((operation, th) -> {
            if (th != null) {
                this.host.failIteration(th);
            } else {
                serviceDocumentQueryResultArr[0] = (ServiceDocumentQueryResult) operation.getBody(ServiceDocumentQueryResult.class);
                this.host.completeIteration();
            }
        });
        this.host.testStart(1L);
        this.host.send(completion);
        this.host.testWait();
        HashSet<String> hashSet = new HashSet(serviceDocumentQueryResultArr[0].documentLinks);
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            Operation completion2 = Operation.createDelete(UriUtils.buildUri(this.host, (String) it.next())).setCompletion((operation2, th2) -> {
                if (operation2.getStatusCode() != 403) {
                    this.host.failIteration(new IllegalStateException(String.format("Expected %d, got %s", 403, Integer.valueOf(operation2.getStatusCode()))));
                } else {
                    this.host.completeIteration();
                }
            });
            this.host.testStart(1L);
            this.host.send(completion2);
            this.host.testWait();
        }
        for (String str : hashSet) {
            Operation completion3 = Operation.createPatch(UriUtils.buildUri(this.host, str)).setBody(createExampleServices.get(str)).setCompletion((operation3, th3) -> {
                if (operation3.getStatusCode() != 200) {
                    this.host.failIteration(new IllegalStateException(String.format("Expected %d, got %s", 200, Integer.valueOf(operation3.getStatusCode()))));
                } else {
                    this.host.completeIteration();
                }
            });
            this.host.testStart(1L);
            this.host.send(completion3);
            this.host.testWait();
        }
    }

    @Test
    public void testAllowAndDenyRoles() throws Exception {
        OperationContext.setAuthorizationContext(this.host.getSystemAuthorizationContext());
        Operation waitForResponse = this.host.waitForResponse(Operation.createPost(UriUtils.buildUri(this.host, "/core/examples")).setBody(createExampleServiceState("testExampleOK", 1L)));
        Assert.assertEquals(200L, waitForResponse.getStatusCode());
        assertAccess(RoleService.Policy.DENY);
        buildRole("AllowRole", RoleService.Policy.ALLOW);
        assertAccess(RoleService.Policy.ALLOW);
        buildRole("DenyRole", RoleService.Policy.DENY);
        assertAccess(RoleService.Policy.DENY);
        buildRole("AnotherAllowRole", RoleService.Policy.ALLOW);
        assertAccess(RoleService.Policy.DENY);
        OperationContext.setAuthorizationContext(this.host.getSystemAuthorizationContext());
        Assert.assertEquals(200L, this.host.waitForResponse(Operation.createDelete(UriUtils.buildUri(this.host, UriUtils.buildUriPath(new String[]{RoleService.FACTORY_LINK, "DenyRole"})))).getStatusCode());
        assertAccess(RoleService.Policy.ALLOW);
    }

    private void buildRole(String str, RoleService.Policy policy) {
        OperationContext.setAuthorizationContext(this.host.getSystemAuthorizationContext());
        TestContext testCreate = this.host.testCreate(1);
        AuthorizationSetupHelper.create().setHost(this.host).setRoleName(str).setUserGroupQuery(QueryTask.Query.Builder.create().addCollectionItemClause("email", "jane@doe.com").build()).setResourceQuery(QueryTask.Query.Builder.create().addFieldClause("documentSelfLink", "/core/examples", QueryTask.QueryTerm.MatchType.PREFIX).build()).setVerbs(EnumSet.of(Service.Action.POST, Service.Action.PUT, Service.Action.PATCH, Service.Action.GET, Service.Action.DELETE)).setPolicy(policy).setCompletion(exc -> {
            if (exc != null) {
                testCreate.failIteration(exc);
            } else {
                testCreate.completeIteration();
            }
        }).setupRole();
        this.host.testWait(testCreate);
    }

    private void assertAccess(RoleService.Policy policy) throws Exception {
        this.host.assumeIdentity(this.userServicePath);
        Operation waitForResponse = this.host.waitForResponse(Operation.createPost(UriUtils.buildUri(this.host, "/core/examples")).setBody(createExampleServiceState("testExampleDeny", 2L)));
        if (policy == RoleService.Policy.DENY) {
            Assert.assertEquals(403L, waitForResponse.getStatusCode());
        } else {
            Assert.assertEquals(200L, waitForResponse.getStatusCode());
        }
        Operation waitForResponse2 = this.host.waitForResponse(Operation.createGet(UriUtils.buildUri(this.host, "/core/examples")));
        Assert.assertEquals(200L, waitForResponse2.getStatusCode());
        ServiceDocumentQueryResult serviceDocumentQueryResult = (ServiceDocumentQueryResult) waitForResponse2.getBody(ServiceDocumentQueryResult.class);
        if (policy == RoleService.Policy.DENY) {
            Assert.assertEquals(0L, serviceDocumentQueryResult.documentCount);
        } else {
            Assert.assertNotNull(serviceDocumentQueryResult.documentCount);
            Assert.assertNotEquals(0L, serviceDocumentQueryResult.documentCount);
        }
    }

    @Test
    public void statefulServiceAuthorization() throws Throwable {
        OperationContext.setAuthorizationContext(this.host.getSystemAuthorizationContext());
        Map<URI, ExampleService.ExampleServiceState> createExampleServices = createExampleServices("john");
        OperationContext.setAuthorizationContext((Operation.AuthorizationContext) null);
        ExampleService.ExampleServiceState createExampleServiceState = createExampleServiceState("jane", new Long("100"));
        TestContext testCreate = this.host.testCreate(1);
        this.host.send(Operation.createPost(UriUtils.buildUri(this.host, "/core/examples")).setBody(createExampleServiceState).setCompletion((operation, th) -> {
            if (operation.getStatusCode() != 403) {
                testCreate.failIteration(new IllegalStateException(String.format("Expected %d, got %s", 403, Integer.valueOf(operation.getStatusCode()))));
            } else {
                testCreate.completeIteration();
            }
        }));
        this.host.testWait(testCreate);
        TestContext testCreate2 = this.host.testCreate(1);
        this.host.send(Operation.createGet(UriUtils.buildUri(this.host, "/core/examples")).setCompletion((operation2, th2) -> {
            if (th2 != null) {
                testCreate2.failIteration(new IllegalStateException(th2));
                return;
            }
            ServiceDocumentQueryResult serviceDocumentQueryResult = (ServiceDocumentQueryResult) operation2.getBody(ServiceDocumentQueryResult.class);
            if (serviceDocumentQueryResult.documentLinks.isEmpty()) {
                testCreate2.completeIteration();
            } else {
                testCreate2.failIteration(new IllegalStateException(String.format("Expected 0 results; Got %d", Integer.valueOf(serviceDocumentQueryResult.documentLinks.size()))));
            }
        }));
        this.host.testWait(testCreate2);
        this.host.assumeIdentity(this.userServicePath);
        createExampleServices.putAll(createExampleServices("jane"));
        verifyJaneAccess(createExampleServices, null);
        TestContext testCreate3 = this.host.testCreate(1);
        ServiceDocumentQueryResult[] serviceDocumentQueryResultArr = new ServiceDocumentQueryResult[1];
        this.host.send(Operation.createGet(UriUtils.buildUri(this.host, "/core/examples")).setCompletion((operation3, th3) -> {
            if (th3 != null) {
                testCreate3.failIteration(th3);
            } else {
                serviceDocumentQueryResultArr[0] = (ServiceDocumentQueryResult) operation3.getBody(ServiceDocumentQueryResult.class);
                testCreate3.completeIteration();
            }
        }));
        this.host.testWait(testCreate3);
        assertAuthorizedServicesInResult("jane", createExampleServices, serviceDocumentQueryResultArr[0]);
        QueryTask.QuerySpecification querySpecification = new QueryTask.QuerySpecification();
        querySpecification.query.setTermPropertyName("documentKind").setTermMatchValue(Utils.buildKind(ExampleService.ExampleServiceState.class));
        QueryTask waitForQueryTaskCompletion = this.host.waitForQueryTaskCompletion(querySpecification, 1, 1, this.host.createQueryTaskService(QueryTask.create(querySpecification)), false, true, false);
        Assert.assertEquals(TaskState.TaskStage.FINISHED, waitForQueryTaskCompletion.taskInfo.stage);
        assertAuthorizedServicesInResult("jane", createExampleServices, waitForQueryTaskCompletion.results);
        OperationContext.setAuthorizationContext((Operation.AuthorizationContext) null);
        verifyJaneAccess(createExampleServices, generateAuthToken(this.userServicePath));
        this.host.setSystemAuthorizationContext();
        Service authzStatefulService = new AuthzStatefulService();
        this.host.addPrivilegedService(AuthzStatefulService.class);
        AuthzStatefulService.AuthzState authzState = new AuthzStatefulService.AuthzState();
        authzState.userLink = this.userServicePath;
        this.host.startServiceAndWait(authzStatefulService, UUID.randomUUID().toString(), authzState);
        this.host.resetSystemAuthorizationContext();
    }

    private Operation.AuthorizationContext assumeIdentityAndGetContext(String str, Service service, boolean z) throws Throwable {
        Operation.AuthorizationContext assumeIdentity = this.host.assumeIdentity(str);
        if (z) {
            this.host.sendAndWaitExpectSuccess(Operation.createGet(UriUtils.buildUri(this.host, "/core/examples")));
        }
        return this.host.getAuthorizationContext(service, assumeIdentity.getToken());
    }

    @Test
    public void authCacheClearToken() throws Throwable {
        this.host.setSystemAuthorizationContext();
        String createUserService = new AuthorizationHelper(this.host).createUserService(this.host, "foo@foo.com");
        Service minimalTestService = new MinimalTestService();
        this.host.addPrivilegedService(MinimalTestService.class);
        this.host.startServiceAndWait(minimalTestService, UUID.randomUUID().toString(), null);
        this.host.resetSystemAuthorizationContext();
        Operation.AuthorizationContext assumeIdentityAndGetContext = assumeIdentityAndGetContext(createUserService, minimalTestService, true);
        Operation.AuthorizationContext assumeIdentityAndGetContext2 = assumeIdentityAndGetContext(createUserService, minimalTestService, true);
        Assert.assertNotNull(assumeIdentityAndGetContext);
        Assert.assertNotNull(assumeIdentityAndGetContext2);
        this.host.setSystemAuthorizationContext();
        Operation operation = new Operation();
        operation.setUri(UriUtils.buildUri(this.host, createUserService));
        TestContext testCreate = this.host.testCreate(1);
        operation.setCompletion(testCreate.getCompletion());
        AuthorizationCacheUtils.clearAuthzCacheForUser(minimalTestService, operation);
        operation.complete();
        this.host.testWait(testCreate);
        this.host.resetSystemAuthorizationContext();
        Assert.assertNull(this.host.getAuthorizationContext(minimalTestService, assumeIdentityAndGetContext.getToken()));
        Assert.assertNull(this.host.getAuthorizationContext(minimalTestService, assumeIdentityAndGetContext2.getToken()));
    }

    @Test
    public void updateAuthzCache() throws Throwable {
        ExecutorService executorService = null;
        try {
            this.host.setSystemAuthorizationContext();
            AuthorizationHelper authorizationHelper = new AuthorizationHelper(this.host);
            String createUserService = authorizationHelper.createUserService(this.host, "foo@foo.com");
            String createUserGroup = authorizationHelper.createUserGroup(this.host, "foo@foo.com", QueryTask.Query.Builder.create().addFieldClause("email", "foo@foo.com").build());
            UserService.UserState userState = new UserService.UserState();
            userState.userGroupLinks = Collections.singleton(createUserGroup);
            this.host.sendAndWaitExpectSuccess(Operation.createPatch(UriUtils.buildUri(this.host, createUserService)).setBody(userState));
            TestContext testCreate = this.host.testCreate(this.serviceCount);
            executorService = this.host.allocateExecutor(this.host.startServiceAndWait(MinimalTestService.class, UUID.randomUUID().toString()));
            this.host.resetSystemAuthorizationContext();
            for (int i = 0; i < this.serviceCount; i++) {
                this.host.run(executorService, () -> {
                    String uuid = UUID.randomUUID().toString();
                    try {
                        this.host.setSystemAuthorizationContext();
                        authorizationHelper.createRole(this.host, createUserGroup, authorizationHelper.createResourceGroup(this.host, uuid, QueryTask.Query.Builder.create().addFieldClause("name", uuid).build()), EnumSet.allOf(Service.Action.class));
                        this.host.resetSystemAuthorizationContext();
                        this.host.assumeIdentity(createUserService);
                        ExampleService.ExampleServiceState exampleServiceState = new ExampleService.ExampleServiceState();
                        exampleServiceState.name = uuid;
                        exampleServiceState.documentSelfLink = uuid;
                        for (int i2 = 0; i2 < 3; i2++) {
                            try {
                                this.host.sendAndWaitExpectSuccess(Operation.createPost(UriUtils.buildUri(this.host, "/core/examples")).setBody(exampleServiceState));
                                break;
                            } catch (Throwable th) {
                                this.host.log(Level.WARNING, "Error creating example service: " + th.getMessage(), new Object[0]);
                                if (i2 == 2) {
                                    testCreate.fail(new IllegalStateException("Example service creation failed thrice"));
                                    return;
                                }
                            }
                        }
                        this.host.sendAndWaitExpectSuccess(Operation.createDelete(UriUtils.buildUri(this.host, UriUtils.buildUriPath(new String[]{"/core/examples", uuid}))));
                        testCreate.complete();
                    } catch (Throwable th2) {
                        this.host.log(Level.WARNING, th2.getMessage(), new Object[0]);
                        testCreate.fail(th2);
                    }
                });
            }
            this.host.testWait(testCreate);
            if (executorService != null) {
                executorService.shutdown();
            }
        } catch (Throwable th) {
            if (executorService != null) {
                executorService.shutdown();
            }
            throw th;
        }
    }

    @Test
    public void testAuthzUtils() throws Throwable {
        this.host.setSystemAuthorizationContext();
        AuthorizationHelper authorizationHelper = new AuthorizationHelper(this.host);
        String createUserService = authorizationHelper.createUserService(this.host, "foo@foo.com");
        UserService.UserState userState = new UserService.UserState();
        userState.userGroupLinks = new HashSet();
        userState.userGroupLinks.add(UriUtils.buildUriPath(new String[]{UserGroupService.FACTORY_LINK, authorizationHelper.getUserGroupName("foo@foo.com")}));
        authorizationHelper.patchUserService(this.host, createUserService, userState);
        authorizationHelper.createRoles(this.host, "foo@foo.com");
        Service minimalTestService = new MinimalTestService();
        this.host.addPrivilegedService(MinimalTestService.class);
        this.host.startServiceAndWait(minimalTestService, UUID.randomUUID().toString(), null);
        this.host.resetSystemAuthorizationContext();
        String userGroupLink = authorizationHelper.getUserGroupLink();
        String resourceGroupLink = authorizationHelper.getResourceGroupLink();
        String roleLink = authorizationHelper.getRoleLink();
        Assert.assertNotNull(assumeIdentityAndGetContext(createUserService, minimalTestService, true));
        this.host.setSystemAuthorizationContext();
        UserGroupService.UserGroupState userGroupState = (UserGroupService.UserGroupState) this.host.waitForResponse(Operation.createGet(UriUtils.buildUri(this.host, userGroupLink))).getBody(UserGroupService.UserGroupState.class);
        Operation operation = new Operation();
        TestContext testCreate = this.host.testCreate(1);
        operation.setCompletion(testCreate.getCompletion());
        AuthorizationCacheUtils.clearAuthzCacheForUserGroup(minimalTestService, operation, userGroupState);
        operation.complete();
        this.host.testWait(testCreate);
        this.host.resetSystemAuthorizationContext();
        Assert.assertNull(assumeIdentityAndGetContext(createUserService, minimalTestService, false));
        Assert.assertNotNull(assumeIdentityAndGetContext(createUserService, minimalTestService, true));
        this.host.setSystemAuthorizationContext();
        Operation operation2 = new Operation();
        TestContext testCreate2 = this.host.testCreate(1);
        operation2.setCompletion(testCreate2.getCompletion());
        operation2.setUri(UriUtils.buildUri(this.host, resourceGroupLink));
        AuthorizationCacheUtils.clearAuthzCacheForResourceGroup(minimalTestService, operation2);
        operation2.complete();
        this.host.testWait(testCreate2);
        this.host.resetSystemAuthorizationContext();
        Assert.assertNull(assumeIdentityAndGetContext(createUserService, minimalTestService, false));
        Assert.assertNotNull(assumeIdentityAndGetContext(createUserService, minimalTestService, true));
        this.host.setSystemAuthorizationContext();
        RoleService.RoleState roleState = (RoleService.RoleState) this.host.waitForResponse(Operation.createGet(UriUtils.buildUri(this.host, roleLink))).getBody(RoleService.RoleState.class);
        Operation operation3 = new Operation();
        TestContext testCreate3 = this.host.testCreate(1);
        operation3.setCompletion(testCreate3.getCompletion());
        AuthorizationCacheUtils.clearAuthzCacheForRole(minimalTestService, operation3, roleState);
        operation3.complete();
        this.host.testWait(testCreate3);
        this.host.resetSystemAuthorizationContext();
        Assert.assertNull(assumeIdentityAndGetContext(createUserService, minimalTestService, false));
        Assert.assertNotNull(assumeIdentityAndGetContext(createUserService, minimalTestService, true));
        this.host.setSystemAuthorizationContext();
        Operation operation4 = new Operation();
        operation4.setUri(UriUtils.buildUri(this.host, createUserService));
        TestContext testCreate4 = this.host.testCreate(1);
        operation4.setCompletion(testCreate4.getCompletion());
        AuthorizationCacheUtils.clearAuthzCacheForUser(minimalTestService, operation4);
        operation4.complete();
        this.host.testWait(testCreate4);
        this.host.resetSystemAuthorizationContext();
        Assert.assertNull(assumeIdentityAndGetContext(createUserService, minimalTestService, false));
    }

    private void verifyJaneAccess(Map<URI, ExampleService.ExampleServiceState> map, String str) throws Throwable {
        this.host.testStart(map.size());
        for (Map.Entry<URI, ExampleService.ExampleServiceState> entry : map.entrySet()) {
            Operation createGet = Operation.createGet(entry.getKey());
            if (str != null) {
                createGet.forceRemote();
                createGet.getRequestHeaders().put("x-xenon-auth-token", str);
            }
            if (entry.getValue().name.equals("jane")) {
                createGet.setCompletion((operation, th) -> {
                    if (operation.getStatusCode() != 200) {
                        this.host.failIteration(new IllegalStateException(String.format("Expected %d, got %s", 200, Integer.valueOf(operation.getStatusCode()))));
                        return;
                    }
                    ExampleService.ExampleServiceState exampleServiceState = (ExampleService.ExampleServiceState) operation.getBody(ExampleService.ExampleServiceState.class);
                    if (exampleServiceState.documentAuthPrincipalLink.equals(this.userServicePath)) {
                        this.host.completeIteration();
                    } else {
                        this.host.failIteration(new IllegalStateException(String.format("Expected %s, got %s", this.userServicePath, exampleServiceState.documentAuthPrincipalLink)));
                    }
                });
            } else {
                createGet.setCompletion((operation2, th2) -> {
                    if (operation2.getStatusCode() != 403) {
                        this.host.failIteration(new IllegalStateException(String.format("Expected %d, got %s", 403, Integer.valueOf(operation2.getStatusCode()))));
                    } else {
                        this.host.completeIteration();
                    }
                });
            }
            this.host.send(createGet);
        }
        this.host.testWait();
    }

    private void assertAuthorizedServicesInResult(String str, Map<URI, ExampleService.ExampleServiceState> map, ServiceDocumentQueryResult serviceDocumentQueryResult) {
        HashSet hashSet = new HashSet(serviceDocumentQueryResult.documentLinks);
        for (Map.Entry<URI, ExampleService.ExampleServiceState> entry : map.entrySet()) {
            String path = entry.getKey().getPath();
            if (entry.getValue().name.equals(str)) {
                Assert.assertTrue(hashSet.contains(path));
            } else {
                Assert.assertFalse(hashSet.contains(path));
            }
        }
    }

    private String generateAuthToken(String str) throws GeneralSecurityException {
        Claims.Builder builder = new Claims.Builder();
        builder.setSubject(str);
        return this.host.getTokenSigner().sign(builder.getResult());
    }

    private ExampleService.ExampleServiceState createExampleServiceState(String str, Long l) {
        ExampleService.ExampleServiceState exampleServiceState = new ExampleService.ExampleServiceState();
        exampleServiceState.name = str;
        exampleServiceState.counter = l;
        exampleServiceState.documentAuthPrincipalLink = "stringtooverwrite";
        return exampleServiceState;
    }

    private Map<URI, ExampleService.ExampleServiceState> createExampleServices(String str) throws Throwable {
        LinkedList linkedList = new LinkedList();
        for (int i = 0; i < this.serviceCount; i++) {
            linkedList.add(createExampleServiceState(str, 1L));
        }
        Iterator it = linkedList.iterator();
        return this.host.doFactoryChildServiceStart(null, linkedList.size(), ExampleService.ExampleServiceState.class, operation -> {
            operation.setBody(it.next());
        }, UriUtils.buildFactoryUri(this.host, ExampleService.class));
    }
}
