package io.confluent.common.security.jetty;

import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.common.security.jetty.jwt.JwtBuilder;
import io.confluent.common.security.util.JwtUtils;
import io.confluent.kafka.clients.plugins.auth.jwt.CloseableVerificationKeyResolver;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticator;
import io.confluent.security.authentication.http.HttpClient;
import io.confluent.security.test.utils.IdentityProviderService;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.security.Key;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import javax.servlet.ServletRequest;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.Form;
import org.easymock.EasyMock;
import org.eclipse.jetty.server.UserIdentity;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;
import org.jose4j.lang.UnresolvableKeyException;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.jupiter.api.Assertions;
import org.junit.rules.TemporaryFolder;

/* loaded from: input_file:io/confluent/common/security/jetty/MultiJwtLoginServiceTest.class */
public class MultiJwtLoginServiceTest {
    private static final JwtBuilder JWT_BUILDER = new JwtBuilder();
    private static final String CONFLUENT_JWT = JWT_BUILDER.buildJwt("lkc-1234");

    @Rule
    public TemporaryFolder tempFolder = new TemporaryFolder();
    private HttpClient httpClient;
    private IdentityProviderService idp;
    private JwtLoginService idpJwtLoginService;
    private JwtLoginService confluentJwtLoginService;
    private MultiJwtLoginService loginService;

    @Before
    public void setup() throws Exception {
        Path createJwtPublicKey = JWT_BUILDER.createJwtPublicKey(this.tempFolder.getRoot().toPath().resolve("public.key"));
        this.httpClient = HttpClient.builder().build();
        this.idp = new IdentityProviderService();
        this.idp.start();
        this.idpJwtLoginService = createIdPLoginService("sub", null);
        this.idpJwtLoginService.doStart();
        this.confluentJwtLoginService = new JwtLoginService((String) null, "Confluent", createJwtPublicKey.toString(), (String) null);
        this.confluentJwtLoginService.doStart();
    }

    @After
    public void tearDown() throws Exception {
        if (this.idp != null) {
            this.idp.shutdown();
        }
        if (this.httpClient != null) {
            this.httpClient.close();
        }
    }

    private JwtLoginService createIdPLoginService(String str, String str2) {
        return new JwtLoginService((String) null, new JwtAuthenticator(this.idp.getIssuer(), createJwksVerificationKeyResolver(new HttpsJwks(this.idp.getJwksEndpoint())), Collections.singletonList("account"), false), str, str2);
    }

    private CloseableVerificationKeyResolver createJwksVerificationKeyResolver(HttpsJwks httpsJwks) {
        final HttpsJwksVerificationKeyResolver httpsJwksVerificationKeyResolver = new HttpsJwksVerificationKeyResolver(httpsJwks);
        return new CloseableVerificationKeyResolver() { // from class: io.confluent.common.security.jetty.MultiJwtLoginServiceTest.1
            public Key resolveKey(JsonWebSignature jsonWebSignature, List<JsonWebStructure> list) throws UnresolvableKeyException {
                return httpsJwksVerificationKeyResolver.resolveKey(jsonWebSignature, list);
            }

            public void close() {
            }
        };
    }

    @Test
    public void testValidConfluentJwt() {
        this.loginService = new MultiJwtLoginService(this.confluentJwtLoginService, this.idpJwtLoginService);
        ServletRequest servletRequest = (ServletRequest) EasyMock.createMock(ServletRequest.class);
        servletRequest.setAttribute("orgResourceId", "");
        EasyMock.replay(new Object[]{servletRequest});
        UserIdentity login = this.loginService.login((String) null, CONFLUENT_JWT, servletRequest);
        Assert.assertNotNull(login);
        Assert.assertEquals("franz", login.getUserPrincipal().getName());
    }

    @Test
    public void testValidIdPJwt() throws ExecutionException, InterruptedException {
        this.loginService = new MultiJwtLoginService(this.confluentJwtLoginService, this.idpJwtLoginService);
        ServletRequest servletRequest = (ServletRequest) EasyMock.createMock(ServletRequest.class);
        servletRequest.setAttribute("orgResourceId", "");
        EasyMock.replay(new Object[]{servletRequest});
        UserIdentity login = this.loginService.login((String) null, getJwtFromIdp(), servletRequest);
        Assert.assertNotNull(login);
        Assert.assertEquals("app1-developer", login.getUserPrincipal().getName());
    }

    @Test
    public void testInvalidJwt() {
        this.loginService = new MultiJwtLoginService(this.confluentJwtLoginService, this.idpJwtLoginService);
        ServletRequest servletRequest = (ServletRequest) EasyMock.createMock(ServletRequest.class);
        servletRequest.setAttribute("orgResourceId", "");
        EasyMock.replay(new Object[]{servletRequest});
        Assert.assertNull(this.loginService.login((String) null, "PANTS", servletRequest));
    }

    @Test
    public void testRealmNamesMismatchIdpLoginService() {
        JwtLoginService jwtLoginService = (JwtLoginService) EasyMock.createMock(JwtLoginService.class);
        EasyMock.expect(jwtLoginService.getName()).andReturn("c3realm").anyTimes();
        EasyMock.replay(new Object[]{jwtLoginService});
        try {
            new MultiJwtLoginService(this.confluentJwtLoginService, jwtLoginService);
            Assertions.fail("Expected IllegalArgumentException");
        } catch (IllegalArgumentException e) {
            Assert.assertEquals("login service realm names must match", e.getMessage());
        }
    }

    @Test
    public void testRealmNamesMismatchConfluentLoginService() {
        JwtLoginService jwtLoginService = (JwtLoginService) EasyMock.createMock(JwtLoginService.class);
        EasyMock.expect(jwtLoginService.getName()).andReturn("c3realm").anyTimes();
        EasyMock.replay(new Object[]{jwtLoginService});
        try {
            new MultiJwtLoginService(jwtLoginService, this.idpJwtLoginService);
            Assertions.fail("Expected IllegalArgumentException");
        } catch (IllegalArgumentException e) {
            Assert.assertEquals("login service realm names must match", e.getMessage());
        }
    }

    @Test
    public void testSubClaimNameIdpLoginService() throws Exception {
        JwtLoginService createIdPLoginService = createIdPLoginService("preferred_username", null);
        createIdPLoginService.doStart();
        this.loginService = new MultiJwtLoginService(this.confluentJwtLoginService, createIdPLoginService);
        ServletRequest servletRequest = (ServletRequest) EasyMock.createMock(ServletRequest.class);
        servletRequest.setAttribute("orgResourceId", "");
        EasyMock.replay(new Object[]{servletRequest});
        UserIdentity login = this.loginService.login((String) null, getJwtFromIdp(), servletRequest);
        Assert.assertNotNull(login);
        Assert.assertEquals("service-account-app1-developer", login.getUserPrincipal().getName());
    }

    @Test
    public void testGroupsClaimNameIdpLoginService() throws Exception {
        JwtLoginService createIdPLoginService = createIdPLoginService("sub", "groups");
        createIdPLoginService.doStart();
        this.loginService = new MultiJwtLoginService(this.confluentJwtLoginService, createIdPLoginService);
        ServletRequest servletRequest = (ServletRequest) EasyMock.createMock(ServletRequest.class);
        servletRequest.setAttribute("orgResourceId", "");
        EasyMock.replay(new Object[]{servletRequest});
        UserIdentity login = this.loginService.login((String) null, getJwtFromIdp(), servletRequest);
        Assert.assertNotNull(login);
        JwtPrincipal userPrincipal = login.getUserPrincipal();
        Assert.assertEquals("groups", userPrincipal.getGroupsClaimName());
        Set groupsFromJwtPrincipal = JwtUtils.getGroupsFromJwtPrincipal(userPrincipal);
        Assert.assertEquals("app1-developer", login.getUserPrincipal().getName());
        Assert.assertEquals(1L, groupsFromJwtPrincipal.size());
        Assert.assertTrue(groupsFromJwtPrincipal.contains("/g4"));
    }

    private String getJwtFromIdp() throws ExecutionException, InterruptedException {
        return (String) this.httpClient.target(URI.create(this.idp.getTokenEndpoint())).request().header("Authorization", "Basic " + Base64.getEncoder().encodeToString("app1-developer:app1-developer".getBytes(StandardCharsets.UTF_8))).accept(new String[]{"application/json"}).rx().post(Entity.entity(new Form().param("grant_type", "client_credentials"), "application/x-www-form-urlencoded")).thenApply(response -> {
            return (Map) response.readEntity(Map.class);
        }).thenApply(map -> {
            return (String) map.get("access_token");
        }).toCompletableFuture().get();
    }
}
