package io.confluent.kafka.server.plugins.auth.oauth;

import io.confluent.kafka.server.plugins.auth.oauth.OAuthBearerValidatorCallbackHandler;
import io.confluent.kafka.server.plugins.auth.oauth.OAuthUtils;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.callback.Callback;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.authenticator.TestJaasConfig;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/oauth/OAuthBearerValidatorCallbackHandlerTest.class */
public class OAuthBearerValidatorCallbackHandlerTest {
    private OAuthUtils.JwsContainer jwsContainer;
    private String defaultIssuer = "Confluent";
    private String defaultSubject = "Lyft <3";
    private String[] defaultAllowedClusters = {"cluster1"};

    @Test
    public void testAttachesJws() throws Exception {
        this.jwsContainer = OAuthUtils.setUpJws(36000, this.defaultIssuer, this.defaultSubject, this.defaultAllowedClusters);
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        Callback oAuthBearerValidatorCallback = new OAuthBearerValidatorCallback(this.jwsContainer.getJwsToken());
        createCallbackHandler.handle(new Callback[]{oAuthBearerValidatorCallback});
        Assert.assertNotNull(oAuthBearerValidatorCallback.token());
        Assert.assertEquals(this.jwsContainer.getJwsToken(), oAuthBearerValidatorCallback.token().value());
        Assert.assertNull(oAuthBearerValidatorCallback.errorStatus());
    }

    @Test(expected = ConfigException.class)
    public void testConfigureRaisesJwtExceptionWhenInvalidKeyPath() throws Exception {
        this.jwsContainer = OAuthUtils.setUpJws(36000, this.defaultIssuer, this.defaultSubject, this.defaultAllowedClusters);
        Map<String, String> baseOptions = baseOptions();
        baseOptions.put("publicKeyPath", this.jwsContainer.getPublicKeyFile().getAbsolutePath() + "/invalid!");
        createCallbackHandler(baseOptions);
    }

    @Test(expected = OAuthBearerValidatorCallbackHandler.JwtVerificationException.class)
    public void testRaisesJwtExceptionWhenInvalidJws() throws Exception {
        this.jwsContainer = OAuthUtils.setUpJws(36000, this.defaultIssuer, this.defaultSubject, this.defaultAllowedClusters);
        OAuthUtils.writePemFile(this.jwsContainer.getPublicKeyFile(), OAuthUtils.generateKeyPair().getPublic());
        createCallbackHandler(baseOptions()).processToken(this.jwsContainer.getJwsToken());
    }

    @Test(expected = OAuthBearerValidatorCallbackHandler.JwtVerificationException.class)
    public void testRaisesJwtExceptionWhenExpiredJws() throws Exception {
        this.jwsContainer = OAuthUtils.setUpJws(50, this.defaultIssuer, this.defaultSubject, this.defaultAllowedClusters);
        Thread.sleep(100L);
        createCallbackHandler(baseOptions()).processToken(this.jwsContainer.getJwsToken());
    }

    @Test(expected = OAuthBearerValidatorCallbackHandler.JwtVerificationException.class)
    public void testRaisesJwtExceptionIfDifferentIssuer() throws Exception {
        this.jwsContainer = OAuthUtils.setUpJws(36000, "AWS", this.defaultSubject, this.defaultAllowedClusters);
        createCallbackHandler(baseOptions()).processToken(this.jwsContainer.getJwsToken());
    }

    @Test(expected = OAuthBearerValidatorCallbackHandler.JwtVerificationException.class)
    public void testRaisesJwtExceptionIfMissingSubject() throws Exception {
        this.jwsContainer = OAuthUtils.setUpJws(36000, this.defaultIssuer, null, this.defaultAllowedClusters);
        createCallbackHandler(baseOptions()).processToken(this.jwsContainer.getJwsToken());
    }

    @Test(expected = OAuthBearerValidatorCallbackHandler.JwtVerificationException.class)
    public void testRaisesJwtExceptionIfNoExpirationTime() throws Exception {
        this.jwsContainer = OAuthUtils.setUpJws(null, this.defaultIssuer, this.defaultSubject, this.defaultAllowedClusters);
        createCallbackHandler(baseOptions()).processToken(this.jwsContainer.getJwsToken());
    }

    private static OAuthBearerValidatorCallbackHandler createCallbackHandler(Map<String, String> map) {
        TestJaasConfig testJaasConfig = new TestJaasConfig();
        testJaasConfig.createOrUpdateEntry("Kafka", "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule", map);
        OAuthBearerValidatorCallbackHandler oAuthBearerValidatorCallbackHandler = new OAuthBearerValidatorCallbackHandler();
        oAuthBearerValidatorCallbackHandler.configure(Collections.emptyMap(), "OAUTHBEARER", Collections.singletonList(testJaasConfig.getAppConfigurationEntry("Kafka")[0]));
        return oAuthBearerValidatorCallbackHandler;
    }

    private Map<String, String> baseOptions() {
        HashMap hashMap = new HashMap();
        hashMap.put("publicKeyPath", this.jwsContainer.getPublicKeyFile().getAbsolutePath());
        hashMap.put("audience", String.join(",", new CharSequence[0]));
        return hashMap;
    }
}
