package io.confluent.common.security.jetty;

import java.io.IOException;
import java.security.Principal;
import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.easymock.EasyMock;
import org.easymock.EasyMockSupport;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.security.Authenticator;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.security.authentication.DeferredAuthentication;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.UserIdentity;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:io/confluent/common/security/jetty/OAuthBearerAuthenticatorTest.class */
public class OAuthBearerAuthenticatorTest extends EasyMockSupport {
    private static final String TOKEN = "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJDb25mb";
    private LoginService mockLoginService;
    private UserIdentity mockIdentity;
    private Authenticator.AuthConfiguration mockConfig;
    private HttpServletRequest mockRequest;
    private HttpServletResponse mockResponse;
    private OAuthBearerAuthenticator authenticator;
    private ServletOutputStream mockServletOutputStream;

    @Before
    public void setup() {
        DefaultIdentityService defaultIdentityService = new DefaultIdentityService();
        this.mockLoginService = (LoginService) createMock(LoginService.class);
        this.mockIdentity = (UserIdentity) createMock(UserIdentity.class);
        this.mockConfig = (Authenticator.AuthConfiguration) createMock(Authenticator.AuthConfiguration.class);
        this.mockRequest = (HttpServletRequest) createMock(HttpServletRequest.class);
        this.mockResponse = (HttpServletResponse) createMock(HttpServletResponse.class);
        this.mockServletOutputStream = (ServletOutputStream) createMock(ServletOutputStream.class);
        Principal principal = (Principal) createMock(Principal.class);
        EasyMock.expect(this.mockConfig.getLoginService()).andReturn(this.mockLoginService).anyTimes();
        EasyMock.expect(this.mockConfig.getIdentityService()).andReturn(defaultIdentityService).anyTimes();
        EasyMock.expect(Boolean.valueOf(this.mockConfig.isSessionRenewedOnAuthentication())).andReturn(true).anyTimes();
        EasyMock.expect(this.mockLoginService.getIdentityService()).andReturn(defaultIdentityService).anyTimes();
        EasyMock.expect(principal.getName()).andReturn("principal").anyTimes();
        EasyMock.expect(this.mockIdentity.getUserPrincipal()).andReturn(principal).anyTimes();
        this.authenticator = new OAuthBearerAuthenticator();
    }

    @Test
    public void testFailsIfAuthHeaderHasWrongBearerCase() throws Exception {
        EasyMock.expect(this.mockRequest.getHeader(HttpHeader.AUTHORIZATION.asString())).andReturn("BeareR eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJDb25mb").once();
        EasyMock.expect(this.mockRequest.getParameter("access_token")).andReturn((Object) null).once();
        EasyMock.expect(this.mockRequest.getCookies()).andReturn(new Cookie[0]).atLeastOnce();
        EasyMock.expect(this.mockLoginService.getName()).andReturn("test-realm").once();
        expectUnauthorizedResponse();
        replayAll();
        this.authenticator.setConfiguration(this.mockConfig);
        this.authenticator.validateRequest(this.mockRequest, this.mockResponse, true);
        verifyAll();
    }

    private void expectUnauthorizedResponse() throws IOException {
        this.mockResponse.setStatus(401);
        EasyMock.expectLastCall().once();
        this.mockResponse.resetBuffer();
        EasyMock.expectLastCall().once();
        this.mockResponse.setHeader("Content-Type", "text/plain");
        EasyMock.expectLastCall().once();
        EasyMock.expect(this.mockResponse.getOutputStream()).andReturn(this.mockServletOutputStream);
        this.mockServletOutputStream.print(EasyMock.anyString());
        EasyMock.expectLastCall().once();
        this.mockResponse.flushBuffer();
        EasyMock.expectLastCall().once();
    }

    @Test
    public void testTokenExtraction() throws Exception {
        EasyMock.expect(this.mockRequest.getHeader(HttpHeader.AUTHORIZATION.asString())).andReturn("Bearer eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJDb25mb").once();
        EasyMock.expect(this.mockRequest.getParameter("access_token")).andReturn((Object) null).once();
        EasyMock.expect(this.mockRequest.getCookies()).andReturn(new Cookie[0]).atLeastOnce();
        EasyMock.expect(this.mockLoginService.login((String) null, "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJDb25mb", this.mockRequest)).andReturn(this.mockIdentity).once();
        replayAll();
        this.authenticator.setConfiguration(this.mockConfig);
        UserAuthentication validateRequest = this.authenticator.validateRequest(this.mockRequest, this.mockResponse, true);
        Assert.assertEquals("BEARER", validateRequest.getAuthMethod());
        Assert.assertEquals(this.mockIdentity, validateRequest.getUserIdentity());
        Assert.assertTrue(this.authenticator.secureResponse((ServletRequest) null, (ServletResponse) null, false, (Authentication.User) null));
        verifyAll();
    }

    @Test
    public void testDeferAuthentication() throws Exception {
        EasyMock.expect(this.mockRequest.getHeader(HttpHeader.AUTHORIZATION.asString())).andReturn("Bearer eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJDb25mb").anyTimes();
        EasyMock.expect(this.mockRequest.getParameter("access_token")).andReturn((Object) null).anyTimes();
        EasyMock.expect(this.mockRequest.getCookies()).andReturn(new Cookie[0]).atLeastOnce();
        EasyMock.expect(this.mockLoginService.login((String) null, "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJDb25mb", this.mockRequest)).andReturn(this.mockIdentity).once();
        replayAll();
        this.authenticator.setConfiguration(this.mockConfig);
        DeferredAuthentication validateRequest = this.authenticator.validateRequest(this.mockRequest, this.mockResponse, false);
        Assert.assertTrue(validateRequest instanceof DeferredAuthentication);
        UserAuthentication authenticate = validateRequest.authenticate(this.mockRequest);
        Assert.assertTrue(authenticate instanceof UserAuthentication);
        UserAuthentication userAuthentication = authenticate;
        Assert.assertEquals("BEARER", userAuthentication.getAuthMethod());
        Assert.assertEquals(this.mockIdentity, userAuthentication.getUserIdentity());
        verifyAll();
    }

    @Test
    public void testInvalidHeader() throws Exception {
        EasyMock.expect(this.mockRequest.getHeader(HttpHeader.AUTHORIZATION.asString())).andReturn("").once();
        EasyMock.expect(this.mockRequest.getParameter("access_token")).andReturn((Object) null).once();
        EasyMock.expect(this.mockRequest.getCookies()).andReturn(new Cookie[0]).atLeastOnce();
        expectUnauthorizedResponse();
        EasyMock.expect(this.mockLoginService.getName()).andReturn("test-realm").once();
        replayAll();
        this.authenticator.setConfiguration(this.mockConfig);
        this.authenticator.validateRequest(this.mockRequest, this.mockResponse, true);
        Assert.assertTrue(this.authenticator.secureResponse((ServletRequest) null, (ServletResponse) null, false, (Authentication.User) null));
        verifyAll();
    }

    @Test
    public void testBearerTokenCookieExtraction() throws Exception {
        Cookie[] cookieArr = {new Cookie("auth_token", "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJDb25mb")};
        HttpServletRequest httpServletRequest = (HttpServletRequest) createMock(HttpServletRequest.class);
        EasyMock.expect(httpServletRequest.getHeader(HttpHeader.AUTHORIZATION.asString())).andReturn("Bearer null").atLeastOnce();
        EasyMock.expect(httpServletRequest.getCookies()).andReturn(cookieArr).atLeastOnce();
        EasyMock.expect(httpServletRequest.getParameter("access_token")).andReturn((Object) null).atLeastOnce();
        EasyMock.expect(this.mockLoginService.login((String) null, "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJDb25mb", httpServletRequest)).andReturn(this.mockIdentity).once();
        replayAll();
        this.authenticator.setConfiguration(this.mockConfig);
        UserAuthentication validateRequest = this.authenticator.validateRequest(httpServletRequest, (ServletResponse) null, true);
        Assert.assertEquals("BEARER", validateRequest.getAuthMethod());
        Assert.assertEquals(this.mockIdentity, validateRequest.getUserIdentity());
        Assert.assertTrue(this.authenticator.secureResponse((ServletRequest) null, (ServletResponse) null, false, (Authentication.User) null));
        verifyAll();
    }

    @Test
    public void testUnauthorizedToken() throws Exception {
        EasyMock.expect(this.mockRequest.getHeader(HttpHeader.AUTHORIZATION.asString())).andReturn("Bearer bad=token").once();
        EasyMock.expect(this.mockRequest.getParameter("access_token")).andReturn((Object) null).once();
        EasyMock.expect(this.mockRequest.getCookies()).andReturn(new Cookie[0]).atLeastOnce();
        EasyMock.expect(this.mockLoginService.login((String) null, "bad=token", this.mockRequest)).andReturn((Object) null).once();
        EasyMock.expect(this.mockLoginService.getName()).andReturn("test-realm").once();
        expectUnauthorizedResponse();
        replayAll();
        this.authenticator.setConfiguration(this.mockConfig);
        this.authenticator.validateRequest(this.mockRequest, this.mockResponse, true);
        Assert.assertTrue(this.authenticator.secureResponse((ServletRequest) null, (ServletResponse) null, false, (Authentication.User) null));
        verifyAll();
    }

    @Test
    public void testUserWithNullPrincipal() throws Exception {
        EasyMock.expect(this.mockRequest.getHeader(HttpHeader.AUTHORIZATION.asString())).andReturn("Bearer bad=token").once();
        EasyMock.expect(this.mockRequest.getParameter("access_token")).andReturn((Object) null).once();
        EasyMock.expect(this.mockRequest.getCookies()).andReturn(new Cookie[0]).atLeastOnce();
        UserIdentity userIdentity = (UserIdentity) mock(UserIdentity.class);
        EasyMock.expect(userIdentity.getUserPrincipal()).andReturn((Object) null).atLeastOnce();
        EasyMock.expect(this.mockLoginService.login((String) null, "bad=token", this.mockRequest)).andReturn(userIdentity).once();
        EasyMock.expect(this.mockLoginService.getName()).andReturn("test-realm").once();
        expectUnauthorizedResponse();
        replayAll();
        this.authenticator.setConfiguration(this.mockConfig);
        Assert.assertEquals(Authentication.SEND_FAILURE, this.authenticator.validateRequest(this.mockRequest, this.mockResponse, true));
        Assert.assertTrue(this.authenticator.secureResponse((ServletRequest) null, (ServletResponse) null, false, (Authentication.User) null));
        verifyAll();
    }

    @Test
    public void testUserWithNullPrincipalName() throws Exception {
        testUserWithInvalidPrincipalName(null);
    }

    @Test
    public void testUserWithEmptyPrincipalName() throws Exception {
        testUserWithInvalidPrincipalName("");
    }

    private void testUserWithInvalidPrincipalName(String str) throws Exception {
        EasyMock.expect(this.mockRequest.getHeader(HttpHeader.AUTHORIZATION.asString())).andReturn("Bearer bad=token").once();
        EasyMock.expect(this.mockRequest.getParameter("access_token")).andReturn((Object) null).once();
        EasyMock.expect(this.mockRequest.getCookies()).andReturn(new Cookie[0]).atLeastOnce();
        UserIdentity userIdentity = (UserIdentity) mock(UserIdentity.class);
        Principal principal = (Principal) mock(Principal.class);
        EasyMock.expect(principal.getName()).andReturn(str).atLeastOnce();
        EasyMock.expect(userIdentity.getUserPrincipal()).andReturn(principal).atLeastOnce();
        EasyMock.expect(this.mockLoginService.login((String) null, "bad=token", this.mockRequest)).andReturn(userIdentity).once();
        EasyMock.expect(this.mockLoginService.getName()).andReturn("test-realm").once();
        expectUnauthorizedResponse();
        replayAll();
        this.authenticator.setConfiguration(this.mockConfig);
        Assert.assertEquals(Authentication.SEND_FAILURE, this.authenticator.validateRequest(this.mockRequest, this.mockResponse, true));
        Assert.assertTrue(this.authenticator.secureResponse((ServletRequest) null, (ServletResponse) null, false, (Authentication.User) null));
        verifyAll();
    }

    @Test
    public void testNoAuth() throws Exception {
        EasyMock.expect(this.mockRequest.getHeader(HttpHeader.AUTHORIZATION.asString())).andReturn((Object) null).once();
        EasyMock.expect(this.mockRequest.getParameter("access_token")).andReturn((Object) null).once();
        EasyMock.expect(this.mockRequest.getCookies()).andReturn((Object) null).atLeastOnce();
        EasyMock.expect(this.mockLoginService.getName()).andReturn("test-realm").once();
        expectUnauthorizedResponse();
        replayAll();
        this.authenticator.setConfiguration(this.mockConfig);
        this.authenticator.validateRequest(this.mockRequest, this.mockResponse, true);
        Assert.assertTrue(this.authenticator.secureResponse((ServletRequest) null, (ServletResponse) null, false, (Authentication.User) null));
        verifyAll();
    }

    @Test
    public void testQueryParamExtraction() throws Exception {
        EasyMock.expect(this.mockRequest.getHeader(HttpHeader.AUTHORIZATION.asString())).andReturn((Object) null).once();
        EasyMock.expect(this.mockRequest.getParameter("access_token")).andReturn("eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJDb25mb").once();
        EasyMock.expect(this.mockRequest.getCookies()).andReturn((Object) null).atLeastOnce();
        this.mockResponse.setHeader("Cache-Control", "private");
        EasyMock.expectLastCall().once();
        EasyMock.expect(this.mockLoginService.login((String) null, "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJDb25mb", this.mockRequest)).andReturn(this.mockIdentity).once();
        replayAll();
        this.authenticator.setConfiguration(this.mockConfig);
        UserAuthentication validateRequest = this.authenticator.validateRequest(this.mockRequest, this.mockResponse, true);
        Assert.assertEquals("BEARER", validateRequest.getAuthMethod());
        Assert.assertEquals(this.mockIdentity, validateRequest.getUserIdentity());
        Assert.assertTrue(this.authenticator.secureResponse((ServletRequest) null, (ServletResponse) null, false, (Authentication.User) null));
        verifyAll();
    }

    @Test
    public void testAuthHeaderMatchQueryParam() throws Exception {
        EasyMock.expect(this.mockRequest.getHeader(HttpHeader.AUTHORIZATION.asString())).andReturn("Bearer eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJDb25mb").anyTimes();
        EasyMock.expect(this.mockRequest.getParameter("access_token")).andReturn("eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJDb25mb").anyTimes();
        EasyMock.expect(this.mockRequest.getCookies()).andReturn(new Cookie[0]).atLeastOnce();
        this.mockResponse.setHeader("Cache-Control", "private");
        EasyMock.expectLastCall().once();
        EasyMock.expect(this.mockLoginService.login((String) null, "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJDb25mb", this.mockRequest)).andReturn(this.mockIdentity).once();
        replayAll();
        this.authenticator.setConfiguration(this.mockConfig);
        Assert.assertEquals(this.mockIdentity, this.authenticator.validateRequest(this.mockRequest, this.mockResponse, true).getUserIdentity());
        verifyAll();
    }

    @Test
    public void testAuthHeaderNotMatchQueryParam() throws Exception {
        EasyMock.expect(this.mockRequest.getHeader(HttpHeader.AUTHORIZATION.asString())).andReturn("Bearer eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJDb25mb").anyTimes();
        EasyMock.expect(this.mockRequest.getParameter("access_token")).andReturn("MismatchWithAuthHeader").anyTimes();
        EasyMock.expect(this.mockRequest.getCookies()).andReturn(new Cookie[0]).atLeastOnce();
        EasyMock.expect(this.mockLoginService.getName()).andReturn("test-realm").once();
        expectUnauthorizedResponse();
        replayAll();
        this.authenticator.setConfiguration(this.mockConfig);
        this.authenticator.validateRequest(this.mockRequest, this.mockResponse, true);
        verifyAll();
    }
}
