package io.confluent.kafka.schemaregistry.security;

import io.confluent.common.security.auth.AuthenticationFilter;
import io.confluent.common.security.auth.RestUserPrincipal;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizerIntegrationTest;
import io.confluent.kafka.schemaregistry.security.config.SecureSchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import io.confluent.kafka.test.cluster.EmbeddedKafkaCluster;
import io.confluent.security.authorizer.Scope;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Properties;
import java.util.concurrent.atomic.AtomicReference;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Configurable;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.test.TestSslUtils;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.ArgumentCaptor;
import org.mockito.Mockito;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/security/SchemaRegistrySecurityResourceExtensionTest.class */
public class SchemaRegistrySecurityResourceExtensionTest {
    protected static final Scope SCOPE = new Scope.Builder(new String[0]).withKafkaCluster("kafka").withCluster("schema-registry-cluster", "sr").build();
    private EmbeddedKafkaCluster kafkaCluster;
    private String bootstrapServers;
    protected ContainerRequestContext mockContext;
    protected AtomicReference<AuthenticationFilter> authFilter;

    @Before
    public void setUp() throws Exception {
        this.kafkaCluster = new EmbeddedKafkaCluster();
        this.kafkaCluster.startQuorum();
        this.kafkaCluster.startBrokers(1, new Properties());
        this.bootstrapServers = this.kafkaCluster.bootstrapServers();
        Properties properties = new Properties();
        properties.put("kafkastore.bootstrap.servers", this.bootstrapServers);
        properties.put("confluent.schema.registry.authorizer.class", AuthorizerIntegrationTest.TestAuthorizer.class.getName());
        properties.put("confluent.schema.registry.auth.ssl.principal.mapping.rules", "RULE:^CN=(.*?)$/$1/");
        SecureSchemaRegistryConfig secureSchemaRegistryConfig = new SecureSchemaRegistryConfig(properties);
        Configurable configurable = (Configurable) Mockito.mock(Configurable.class);
        this.authFilter = new AtomicReference<>();
        Mockito.when(configurable.register(Mockito.any(Object.class))).then(invocationOnMock -> {
            if (invocationOnMock.getArguments()[0] instanceof AuthenticationFilter) {
                this.authFilter.set((AuthenticationFilter) invocationOnMock.getArguments()[0]);
            }
            return configurable;
        });
        new SchemaRegistrySecurityResourceExtension().registerResources(configurable, secureSchemaRegistryConfig, (SchemaRegistry) Mockito.mock(SchemaRegistry.class), SCOPE);
        this.mockContext = (ContainerRequestContext) Mockito.mock(ContainerRequestContext.class);
    }

    @After
    public void shutdown() {
        this.kafkaCluster.shutdown();
    }

    @Test
    public void testRegisteredSslPrincipalMapper() throws Exception {
        Assert.assertNotNull(this.authFilter.get());
        Mockito.when(this.mockContext.getProperty("javax.servlet.request.X509Certificate")).thenReturn(new X509Certificate[]{TestSslUtils.generateCertificate("CN=schemaregistry/localhost@EXAMPLE.COM", TestSslUtils.generateKeyPair("RSA"), 30, "SHA1withRSA")});
        Mockito.when(this.mockContext.getSecurityContext()).thenReturn(new SecurityContext() { // from class: io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtensionTest.1
            public Principal getUserPrincipal() {
                return new RestUserPrincipal("test");
            }

            public boolean isUserInRole(String str) {
                return false;
            }

            public boolean isSecure() {
                return false;
            }

            public String getAuthenticationScheme() {
                return null;
            }
        });
        ArgumentCaptor forClass = ArgumentCaptor.forClass(SecurityContext.class);
        ((ContainerRequestContext) Mockito.doNothing().when(this.mockContext)).setSecurityContext((SecurityContext) forClass.capture());
        this.authFilter.get().filter(this.mockContext);
        SecurityContext securityContext = (SecurityContext) forClass.getValue();
        Assert.assertNotNull(securityContext);
        Assert.assertEquals("schemaregistry/localhost@EXAMPLE.COM", securityContext.getUserPrincipal().getName());
        Assert.assertEquals("SSL", securityContext.getAuthenticationScheme());
    }

    @Test
    public void testAuthFilterLoginException() throws Exception {
        Assert.assertNotNull(this.authFilter.get());
        Mockito.when(this.mockContext.getProperty("javax.servlet.request.X509Certificate")).thenReturn((Object) null);
        Mockito.when(this.mockContext.getSecurityContext()).thenReturn(new SecurityContext() { // from class: io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtensionTest.2
            public Principal getUserPrincipal() {
                return new RestUserPrincipal("testAuthFilterLoginPrincipal");
            }

            public boolean isUserInRole(String str) {
                return false;
            }

            public boolean isSecure() {
                return false;
            }

            public String getAuthenticationScheme() {
                return null;
            }
        });
        ArgumentCaptor forClass = ArgumentCaptor.forClass(Response.class);
        ((ContainerRequestContext) Mockito.doNothing().when(this.mockContext)).abortWith((Response) forClass.capture());
        this.authFilter.get().filter(this.mockContext);
        ((ContainerRequestContext) Mockito.verify(this.mockContext, Mockito.never())).setSecurityContext((SecurityContext) Mockito.any());
        Assert.assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), ((Response) forClass.getValue()).getStatus());
        Assert.assertEquals("User cannot access the resource", (String) ((Response) forClass.getValue()).getEntity());
    }
}
