package io.confluent.ksql.security;

import com.google.common.collect.ImmutableMap;
import io.confluent.ksql.api.auth.AuthenticationPlugin;
import io.vertx.core.Vertx;
import io.vertx.core.WorkerExecutor;
import io.vertx.core.http.HttpServerResponse;
import io.vertx.ext.web.RoutingContext;
import java.security.Principal;
import java.util.Map;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ExecutionException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.kafka.common.errors.AuthenticationException;
import org.eclipse.jetty.security.Authenticator;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.UserIdentity;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.After;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.junit.runner.RunWith;
import org.mockito.Matchers;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.runners.MockitoJUnitRunner;

@RunWith(MockitoJUnitRunner.class)
/* loaded from: input_file:io/confluent/ksql/security/VertxAuthenticationPluginTest.class */
public class VertxAuthenticationPluginTest {
    private static String SOME_ROLE = "some_role";

    @Rule
    public final ExpectedException expectedException = ExpectedException.none();

    @Mock
    private Authenticator authenticator;

    @Mock
    private LoginService loginService;

    @Mock
    private RoutingContext routingContext;

    @Mock
    private HttpServerResponse httpServerResponse;

    @Mock
    private Authentication.User okUserAuthentication;

    @Mock
    private Authentication failedUserAuthentication;

    @Mock
    private UserIdentity userIdentity;

    @Mock
    private Principal userPrincipal;
    private Vertx vertx;
    private WorkerExecutor workerExecutor;
    private AuthenticationPlugin authenticationPlugin;

    @Before
    public void setUp() {
        this.vertx = Vertx.vertx();
        this.workerExecutor = this.vertx.createSharedWorkerExecutor("testworkers");
        this.authenticationPlugin = setupAuthenticatorPlugin();
    }

    @After
    public void tearDown() {
        this.workerExecutor.close();
        this.vertx.close();
    }

    @Test
    public void shouldAuthenticate() throws Exception {
        Mockito.when(this.routingContext.response()).thenReturn(this.httpServerResponse);
        Mockito.when(this.authenticator.validateRequest((ServletRequest) Matchers.any(ServletRequest.class), (ServletResponse) Matchers.any(ServletResponse.class), Matchers.eq(true))).thenReturn(this.okUserAuthentication);
        Mockito.when(this.okUserAuthentication.getUserIdentity()).thenReturn(this.userIdentity);
        Mockito.when(this.userIdentity.getUserPrincipal()).thenReturn(this.userPrincipal);
        Mockito.when(Boolean.valueOf(this.userIdentity.isUserInRole((String) Matchers.any(), (UserIdentity.Scope) Matchers.any()))).thenReturn(true);
        Principal principal = (Principal) this.authenticationPlugin.handleAuth(this.routingContext, this.workerExecutor).get();
        MatcherAssert.assertThat(principal, CoreMatchers.is(CoreMatchers.notNullValue()));
        MatcherAssert.assertThat(principal, CoreMatchers.is(this.userPrincipal));
    }

    @Test
    public void shouldAuthorizeRole() throws Exception {
        Mockito.when(this.routingContext.response()).thenReturn(this.httpServerResponse);
        Mockito.when(this.authenticator.validateRequest((ServletRequest) Matchers.any(ServletRequest.class), (ServletResponse) Matchers.any(ServletResponse.class), Matchers.eq(true))).thenReturn(this.okUserAuthentication);
        Mockito.when(this.okUserAuthentication.getUserIdentity()).thenReturn(this.userIdentity);
        Mockito.when(this.userIdentity.getUserPrincipal()).thenReturn(this.userPrincipal);
        Mockito.when(Boolean.valueOf(this.userIdentity.isUserInRole(SOME_ROLE, (UserIdentity.Scope) null))).thenReturn(true);
        Principal principal = (Principal) this.authenticationPlugin.handleAuth(this.routingContext, this.workerExecutor).get();
        MatcherAssert.assertThat(principal, CoreMatchers.is(CoreMatchers.notNullValue()));
        MatcherAssert.assertThat(principal, CoreMatchers.is(this.userPrincipal));
    }

    @Test
    public void shouldFailToAuthorizeRole() throws Exception {
        Mockito.when(this.routingContext.response()).thenReturn(this.httpServerResponse);
        Mockito.when(this.authenticator.validateRequest((ServletRequest) Matchers.any(ServletRequest.class), (ServletResponse) Matchers.any(ServletResponse.class), Matchers.eq(true))).thenReturn(this.okUserAuthentication);
        Mockito.when(this.okUserAuthentication.getUserIdentity()).thenReturn(this.userIdentity);
        Mockito.when(this.userIdentity.getUserPrincipal()).thenReturn(this.userPrincipal);
        Mockito.when(Boolean.valueOf(this.userIdentity.isUserInRole(SOME_ROLE, (UserIdentity.Scope) null))).thenReturn(false);
        CompletableFuture handleAuth = this.authenticationPlugin.handleAuth(this.routingContext, this.workerExecutor);
        this.expectedException.expect(ExecutionException.class);
        MatcherAssert.assertThat((Principal) handleAuth.get(), CoreMatchers.is(CoreMatchers.nullValue()));
    }

    @Test
    public void shouldFailToAuthenticate() throws Exception {
        Mockito.when(this.routingContext.response()).thenReturn(this.httpServerResponse);
        Mockito.when(this.authenticator.validateRequest((ServletRequest) Matchers.any(ServletRequest.class), (ServletResponse) Matchers.any(ServletResponse.class), Matchers.eq(true))).thenReturn(this.failedUserAuthentication);
        CompletableFuture handleAuth = this.authenticationPlugin.handleAuth(this.routingContext, this.workerExecutor);
        this.expectedException.expect(ExecutionException.class);
        this.expectedException.expectCause(CoreMatchers.instanceOf(AuthenticationException.class));
        MatcherAssert.assertThat((Principal) handleAuth.get(), CoreMatchers.is(CoreMatchers.nullValue()));
    }

    @Test
    public void shouldPropagateExceptionInAuthentication() throws Exception {
        Mockito.when(this.routingContext.response()).thenReturn(this.httpServerResponse);
        Mockito.when(this.authenticator.validateRequest((ServletRequest) Matchers.any(ServletRequest.class), (ServletResponse) Matchers.any(ServletResponse.class), Matchers.eq(true))).thenThrow(new Throwable[]{new NullPointerException("foobar")});
        CompletableFuture handleAuth = this.authenticationPlugin.handleAuth(this.routingContext, this.workerExecutor);
        this.expectedException.expect(ExecutionException.class);
        this.expectedException.expectCause(CoreMatchers.instanceOf(NullPointerException.class));
        MatcherAssert.assertThat((Principal) handleAuth.get(), CoreMatchers.is(CoreMatchers.nullValue()));
    }

    private Map<String, ?> goodProps() {
        return ImmutableMap.of("foo", "bar", "quux", "flib");
    }

    private AuthenticationPlugin setupAuthenticatorPlugin() {
        VertxAuthenticationPlugin vertxAuthenticationPlugin = new VertxAuthenticationPlugin() { // from class: io.confluent.ksql.security.VertxAuthenticationPluginTest.1
            public void configure(Map<String, ?> map) {
                configure("somerealm", VertxAuthenticationPluginTest.this.authenticator, VertxAuthenticationPluginTest.this.loginService);
            }

            protected boolean validateUser(UserIdentity userIdentity) {
                return userIdentity.isUserInRole(VertxAuthenticationPluginTest.SOME_ROLE, (UserIdentity.Scope) null);
            }
        };
        vertxAuthenticationPlugin.configure(goodProps());
        return vertxAuthenticationPlugin;
    }
}
