package com.google.cloud.hadoop.util;

import com.github.stefanbirkner.systemlambda.SystemLambda;
import com.google.api.client.auth.oauth2.TokenResponse;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.testing.http.MockHttpTransport;
import com.google.auth.oauth2.AccessToken;
import com.google.auth.oauth2.ComputeEngineCredentials;
import com.google.auth.oauth2.ExternalAccountCredentials;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.auth.oauth2.ServiceAccountCredentials;
import com.google.auth.oauth2.UserCredentials;
import com.google.cloud.hadoop.util.HadoopCredentialsConfiguration;
import com.google.cloud.hadoop.util.testing.HadoopConfigurationUtils;
import com.google.cloud.hadoop.util.testing.MockHttpTransportHelper;
import com.google.cloud.hadoop.util.testing.TestingAccessTokenProvider;
import com.google.common.base.Suppliers;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.io.Resources;
import com.google.common.truth.Truth;
import java.io.IOException;
import java.net.URI;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.time.Instant;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import org.apache.hadoop.conf.Configuration;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;

@RunWith(JUnit4.class)
/* loaded from: input_file:com/google/cloud/hadoop/util/HadoopCredentialsConfigurationTest.class */
public class HadoopCredentialsConfigurationTest {
    private static final Map<String, Object> expectedDefaultConfiguration = new HashMap<String, Object>() { // from class: com.google.cloud.hadoop.util.HadoopCredentialsConfigurationTest.1
        {
            put(".auth.access.token.provider", null);
            put(".auth.client.id", null);
            put(".auth.client.secret", null);
            put(".auth.impersonation.service.account", null);
            put(".auth.impersonation.service.account.for.group.", ImmutableMap.of());
            put(".auth.impersonation.service.account.for.user.", ImmutableMap.of());
            put(".auth.refresh.token", null);
            put(".auth.service.account.json.keyfile", null);
            put(".auth.workload.identity.federation.credential.config.file", null);
            put(".auth.type", HadoopCredentialsConfiguration.AuthenticationType.COMPUTE_ENGINE);
            put(".http.read-timeout", 5000L);
            put(".proxy.address", null);
            put(".proxy.password", null);
            put(".proxy.username", null);
            put(".token.server.url", null);
        }
    };
    private Configuration configuration;

    private static String getConfigKey(HadoopConfigurationProperty<?> hadoopConfigurationProperty) {
        return "google.cloud" + hadoopConfigurationProperty.getKey();
    }

    @Before
    public void setUp() {
        this.configuration = new Configuration();
    }

    private GoogleCredentials getCredentials() throws IOException {
        return getCredentials(new MockHttpTransport());
    }

    private GoogleCredentials getCredentials(HttpTransport httpTransport) throws IOException {
        return HadoopCredentialsConfiguration.getCredentials(Suppliers.ofInstance(httpTransport), this.configuration, ImmutableList.of("google.cloud"));
    }

    @Test
    public void nullCredentialsAreCreatedForTesting() throws Exception {
        this.configuration.setEnum(getConfigKey(HadoopCredentialsConfiguration.AUTHENTICATION_TYPE_SUFFIX), HadoopCredentialsConfiguration.AuthenticationType.UNAUTHENTICATED);
        Truth.assertThat(getCredentials()).isNull();
    }

    @Test
    public void invalidAuthType_exceptionIsThrown() {
        this.configuration.set(getConfigKey(HadoopCredentialsConfiguration.AUTHENTICATION_TYPE_SUFFIX), "INVALID_TEST");
        IllegalArgumentException illegalArgumentException = (IllegalArgumentException) Assert.assertThrows(IllegalArgumentException.class, this::getCredentials);
        Truth.assertThat(illegalArgumentException).hasMessageThat().startsWith("No enum constant ");
        Truth.assertThat(illegalArgumentException).hasMessageThat().contains("AuthenticationType.INVALID_TEST");
    }

    @Test
    public void metadataServiceIsUsedByDefault() throws Exception {
        GoogleCredentials credentials = getCredentials(MockHttpTransportHelper.mockTransport(new Object[]{MockHttpTransportHelper.jsonDataResponse(new TokenResponse().setAccessToken("metadata-test-token").setExpiresInSeconds(100L))}));
        credentials.refreshIfExpired();
        Truth.assertThat(credentials).isInstanceOf(ComputeEngineCredentials.class);
        Truth.assertThat(credentials.getAccessToken().getTokenValue()).isEqualTo("metadata-test-token");
    }

    @Test
    public void applicationDefaultServiceAccountWhenConfigured() throws Exception {
        this.configuration.setEnum(getConfigKey(HadoopCredentialsConfiguration.AUTHENTICATION_TYPE_SUFFIX), HadoopCredentialsConfiguration.AuthenticationType.APPLICATION_DEFAULT);
        ServiceAccountCredentials serviceAccountCredentials = (ServiceAccountCredentials) SystemLambda.withEnvironmentVariable("GOOGLE_APPLICATION_CREDENTIALS", getStringPath("test-credentials.json")).execute(() -> {
            return getCredentials();
        });
        Truth.assertThat(serviceAccountCredentials.getClientEmail()).isEqualTo("test-email@gserviceaccount.com");
        Truth.assertThat(serviceAccountCredentials.getPrivateKeyId()).isEqualTo("test-key-id");
    }

    @Test
    public void jsonKeyFileUsedWhenConfigured() throws Exception {
        this.configuration.setEnum(getConfigKey(HadoopCredentialsConfiguration.AUTHENTICATION_TYPE_SUFFIX), HadoopCredentialsConfiguration.AuthenticationType.SERVICE_ACCOUNT_JSON_KEYFILE);
        this.configuration.set(getConfigKey(HadoopCredentialsConfiguration.SERVICE_ACCOUNT_JSON_KEYFILE_SUFFIX), getStringPath("test-credentials.json"));
        ServiceAccountCredentials credentials = getCredentials();
        Truth.assertThat(credentials.getClientEmail()).isEqualTo("test-email@gserviceaccount.com");
        Truth.assertThat(credentials.getPrivateKeyId()).isEqualTo("test-key-id");
    }

    @Test
    public void wipConfigFileUsedWhenConfigured() throws Exception {
        this.configuration.setEnum(getConfigKey(HadoopCredentialsConfiguration.AUTHENTICATION_TYPE_SUFFIX), HadoopCredentialsConfiguration.AuthenticationType.WORKLOAD_IDENTITY_FEDERATION_CREDENTIAL_CONFIG_FILE);
        this.configuration.set(getConfigKey(HadoopCredentialsConfiguration.WORKLOAD_IDENTITY_FEDERATION_CREDENTIAL_CONFIG_FILE_SUFFIX), getStringPath("test-wip-config.json"));
        ExternalAccountCredentials credentials = getCredentials();
        Truth.assertThat(credentials.getAuthenticationType()).isEqualTo("OAuth2");
        Truth.assertThat(credentials.getAudience()).isEqualTo("//iam.googleapis.com/projects/test/locations/global/workloadIdentityPools/test-pool/providers/tester");
        Truth.assertThat(credentials.getTokenUrl()).isEqualTo("https://sts.googleapis.com/v1/token");
    }

    @Test
    public void accessTokenProviderCredentials_credentialFactory() throws IOException {
        this.configuration.setEnum(getConfigKey(HadoopCredentialsConfiguration.AUTHENTICATION_TYPE_SUFFIX), HadoopCredentialsConfiguration.AuthenticationType.ACCESS_TOKEN_PROVIDER);
        this.configuration.setClass(getConfigKey(HadoopCredentialsConfiguration.ACCESS_TOKEN_PROVIDER_SUFFIX), TestingAccessTokenProvider.class, AccessTokenProvider.class);
        AccessToken accessToken = getCredentials().getAccessToken();
        Truth.assertThat(accessToken).isNotNull();
        Truth.assertThat(accessToken.getTokenValue()).isEqualTo("invalid-access-token");
        Truth.assertThat(accessToken.getExpirationTime()).isEqualTo(Date.from(TestingAccessTokenProvider.EXPIRATION_TIME));
    }

    @Test
    public void userCredentials_credentialFactory_noNewRefreshToken() throws IOException {
        this.configuration.set(getConfigKey(HadoopCredentialsConfiguration.TOKEN_SERVER_URL_SUFFIX), "http://localhost/token");
        this.configuration.setEnum(getConfigKey(HadoopCredentialsConfiguration.AUTHENTICATION_TYPE_SUFFIX), HadoopCredentialsConfiguration.AuthenticationType.USER_CREDENTIALS);
        this.configuration.set(getConfigKey(HadoopCredentialsConfiguration.AUTH_REFRESH_TOKEN_SUFFIX), "FAKE_REFRESH_TOKEN");
        this.configuration.set(getConfigKey(HadoopCredentialsConfiguration.AUTH_CLIENT_ID_SUFFIX), "FAKE_CLIENT_ID");
        this.configuration.set(getConfigKey(HadoopCredentialsConfiguration.AUTH_CLIENT_SECRET_SUFFIX), "FAKE_CLIENT_SECRET");
        UserCredentials credentials = getCredentials(MockHttpTransportHelper.mockTransport(new Object[]{MockHttpTransportHelper.jsonDataResponse(new TokenResponse().setAccessToken("SlAV32hkKG").setExpiresInSeconds(300L))}));
        credentials.refresh();
        Truth.assertThat(credentials).isInstanceOf(UserCredentials.class);
        UserCredentials userCredentials = credentials;
        Truth.assertThat(userCredentials.getClientId()).isEqualTo("FAKE_CLIENT_ID");
        Truth.assertThat(userCredentials.getClientSecret()).isEqualTo("FAKE_CLIENT_SECRET");
        AccessToken accessToken = userCredentials.getAccessToken();
        Truth.assertThat(accessToken).isNotNull();
        Truth.assertThat(accessToken.getExpirationTime()).isGreaterThan(Date.from(Instant.now().plusSeconds(300 - 10)));
        Truth.assertThat(accessToken.getExpirationTime()).isLessThan(Date.from(Instant.now().plusSeconds(300 + 10)));
        Truth.assertThat(userCredentials.getRefreshToken()).isEqualTo("FAKE_REFRESH_TOKEN");
    }

    @Test
    public void customTokenServerUrl() throws Exception {
        this.configuration.setEnum(getConfigKey(HadoopCredentialsConfiguration.AUTHENTICATION_TYPE_SUFFIX), HadoopCredentialsConfiguration.AuthenticationType.SERVICE_ACCOUNT_JSON_KEYFILE);
        this.configuration.set(getConfigKey(HadoopCredentialsConfiguration.SERVICE_ACCOUNT_JSON_KEYFILE_SUFFIX), getStringPath("test-credentials.json"));
        this.configuration.set(getConfigKey(HadoopCredentialsConfiguration.TOKEN_SERVER_URL_SUFFIX), "https://test.oauth.com/token");
        Truth.assertThat(getCredentials().getTokenServerUri()).isEqualTo(new URI("https://test.oauth.com/token"));
    }

    @Test
    public void defaultPropertiesValues() {
        Truth.assertThat(HadoopConfigurationUtils.getDefaultProperties(HadoopCredentialsConfiguration.class)).containsExactlyEntriesIn(expectedDefaultConfiguration);
    }

    private static String getStringPath(String str) {
        return getPath(str).toString();
    }

    private static Path getPath(String str) {
        String file = Resources.getResource(str).getFile();
        return Paths.get((System.getProperty("os.name").toLowerCase().contains("win") && file.startsWith("/")) ? file.substring(1) : file, new String[0]);
    }
}
