package io.confluent.ksql.security.filter;

import com.google.common.collect.ImmutableMap;
import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.common.security.sasl.ConfluentOAuthConfigs;
import io.confluent.ksql.rest.server.context.KsqlRestContext;
import java.io.IOException;
import java.net.URI;
import java.security.Principal;
import java.util.Map;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.glassfish.jersey.internal.MapPropertiesDelegate;
import org.glassfish.jersey.server.ContainerRequest;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.runners.MockitoJUnitRunner;

@RunWith(MockitoJUnitRunner.class)
/* loaded from: input_file:io/confluent/ksql/security/filter/KsqlSecurityRestContextFilterTest.class */
public class KsqlSecurityRestContextFilterTest {
    private static final int UNAUTHORIZED = Response.Status.UNAUTHORIZED.getStatusCode();
    private static final String DUMMY_METADATA_SERVER_URL = "http://localhost:8090";
    private KsqlSecurityRestContextFilter securityRestContextFilter;

    @Mock
    private SecurityContext securityContext;

    @Mock
    private JwtPrincipal principalUser1;

    @Before
    public void setUp() {
        this.securityRestContextFilter = new KsqlSecurityRestContextFilter(DUMMY_METADATA_SERVER_URL);
        Mockito.when(this.principalUser1.getName()).thenReturn("user1");
        Mockito.when(this.principalUser1.getJwt()).thenReturn("user1-token");
    }

    @Test
    public void filterShouldAbortIfNullPrincipalIsFound() throws IOException {
        ContainerRequest givenRequestContext = givenRequestContext(null);
        this.securityRestContextFilter.filter(givenRequestContext);
        Assert.assertThat(Integer.valueOf(givenRequestContext.getAbortResponse().getStatus()), CoreMatchers.is(Integer.valueOf(UNAUTHORIZED)));
    }

    @Test
    public void filterShouldAbortIfNoJwtPrincipalIsFound() throws IOException {
        ContainerRequest givenRequestContext = givenRequestContext(new KafkaPrincipal("User", "user_1"));
        this.securityRestContextFilter.filter(givenRequestContext);
        Assert.assertThat(Integer.valueOf(givenRequestContext.getAbortResponse().getStatus()), CoreMatchers.is(Integer.valueOf(UNAUTHORIZED)));
    }

    @Test
    public void filterShouldSetCorrectSecurityRestContext() throws IOException {
        ContainerRequest addBearerToken = addBearerToken(givenRequestContext(this.principalUser1));
        this.securityRestContextFilter.filter(addBearerToken);
        Assert.assertThat(((KsqlRestContext) KsqlRestContext.get(addBearerToken).get()).getKafkaClientSupplierProperties(), CoreMatchers.is(getKafkaClientSupplierOAuthProperties(this.principalUser1)));
        Assert.assertThat(((KsqlRestContext) KsqlRestContext.get(addBearerToken).get()).getSchemaRegistryClientHttpHeaders(), CoreMatchers.is(getSchemaRegistryClientHttpHeaders(addBearerToken)));
    }

    private ContainerRequest addBearerToken(ContainerRequest containerRequest) {
        containerRequest.header("Authorization", "Bearer " + containerRequest.getSecurityContext().getUserPrincipal().getJwt());
        return containerRequest;
    }

    private ContainerRequest givenRequestContext(Principal principal) {
        Mockito.when(this.securityContext.getUserPrincipal()).thenReturn(principal);
        return new ContainerRequest(URI.create("/"), (URI) null, (String) null, this.securityContext, new MapPropertiesDelegate());
    }

    private Map<String, Object> getKafkaClientSupplierOAuthProperties(JwtPrincipal jwtPrincipal) {
        return ImmutableMap.builder().put("sasl.mechanism", "OAUTHBEARER").put("sasl.login.callback.handler.class", "io.confluent.kafka.clients.plugins.auth.token.TokenBearerLoginCallbackHandler").put("sasl.jaas.config", ConfluentOAuthConfigs.getOAuthBearerLoginModuleJaasConfig(jwtPrincipal, DUMMY_METADATA_SERVER_URL)).build();
    }

    private Map<String, String> getSchemaRegistryClientHttpHeaders(ContainerRequestContext containerRequestContext) {
        return ImmutableMap.builder().put("Authorization", containerRequestContext.getHeaderString("Authorization")).build();
    }
}
