package io.confluent.common.security.jetty.initializer;

import io.confluent.common.security.jetty.jwt.JwtBuilder;
import io.confluent.common.security.util.TestUtils;
import io.confluent.security.auth.client.rest.RestClient;
import io.confluent.security.auth.client.rest.RestRequest;
import io.confluent.security.auth.client.rest.entities.AuthenticationResponse;
import io.confluent.security.auth.client.rest.exceptions.RestClientException;
import io.confluent.security.auth.common.JwtBearerToken;
import java.io.File;
import java.net.URISyntaxException;
import java.nio.file.Path;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.apache.kafka.test.TestSslUtils;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.client.api.ContentResponse;
import org.eclipse.jetty.http.HttpMethod;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.glassfish.jersey.servlet.ServletContainer;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

/* loaded from: input_file:io/confluent/common/security/jetty/initializer/ImpersonationTokenIntegrationTest.class */
public class ImpersonationTokenIntegrationTest {

    @Rule
    public TemporaryFolder tempFolder = new TemporaryFolder();
    final SslContextFactory.Client sslClient = new SslContextFactory.Client();
    final SslContextFactory.Server sslServer = new SslContextFactory.Server();
    private static final JwtBuilder JWT_BUILDER = new JwtBuilder();
    static Path pemPath;
    static OAuthBearerToken expectedToken;
    private Server server;
    private HttpClient httpClient;

    @Before
    public void setUp() throws Exception {
        this.server = new Server(8080);
        ServletContextHandler servletContextHandler = new ServletContextHandler(1);
        servletContextHandler.setContextPath("/");
        pemPath = JWT_BUILDER.createJwtPublicKey(this.tempFolder.getRoot().toPath().resolve("public.key"));
        configureAuthenticationHandler(servletContextHandler, JWT_BUILDER);
        configureJerseyResource(this.server, servletContextHandler);
        configureServerClientSslContext();
        ServerConnector serverConnector = new ServerConnector(this.server, this.sslServer);
        serverConnector.setPort(8090);
        serverConnector.setHost("localhost");
        this.server.addConnector(serverConnector);
        this.server.start();
        this.httpClient = new HttpClient(this.sslClient);
        this.httpClient.start();
    }

    @After
    public void tearDown() throws Exception {
        this.server.stop();
        this.httpClient.stop();
    }

    private static void configureJerseyResource(Server server, ServletContextHandler servletContextHandler) {
        ServletHolder addServlet = servletContextHandler.addServlet(ServletContainer.class, "/*");
        addServlet.setInitOrder(0);
        addServlet.setInitParameter("jersey.config.server.provider.packages", "io.confluent.common.security.util");
        server.setHandler(servletContextHandler);
    }

    private static void configureAuthenticationHandler(ServletContextHandler servletContextHandler, JwtBuilder jwtBuilder) throws RestClientException, URISyntaxException {
        Map<String, Object> validProps = validProps();
        RestClient restClient = (RestClient) Mockito.mock(RestClient.class);
        RestRequest restRequest = (RestRequest) Mockito.mock(RestRequest.class);
        AuthenticationHandler authenticationHandler = (AuthenticationHandler) Mockito.spy(AuthenticationHandler.class);
        ((AuthenticationHandler) Mockito.doReturn(restClient).when(authenticationHandler)).createRestClient((Map) ArgumentMatchers.any());
        ((RestClient) Mockito.doReturn(restRequest).when(restClient)).newRequest((String) ArgumentMatchers.any());
        AuthenticationResponse authenticationResponse = new AuthenticationResponse(jwtBuilder.buildJwt("c1"), "test", 21600L);
        expectedToken = new JwtBearerToken(authenticationResponse.authenticationToken());
        ((RestClient) Mockito.doReturn(authenticationResponse).when(restClient)).sendRequest((RestRequest) ArgumentMatchers.any());
        authenticationHandler.configure(validProps);
        authenticationHandler.accept(servletContextHandler);
    }

    private void configureServerClientSslContext() throws Exception {
        HashMap hashMap = new HashMap();
        File createTempFile = File.createTempFile("CKeystore", ".jks");
        File createTempFile2 = File.createTempFile("SKeystore", ".jks");
        Password password = new Password("Client-KS-Password");
        File createTempFile3 = File.createTempFile("truststore", ".jks");
        KeyPair generateKeyPair = TestSslUtils.generateKeyPair("RSA");
        X509Certificate generateCertificate = TestSslUtils.generateCertificate("CN=localhost, O=Client", generateKeyPair, 30, "SHA1withRSA");
        X509Certificate generateCertificate2 = TestSslUtils.generateCertificate("CN=localhost, O=Server", generateKeyPair, 30, "SHA1withRSA");
        hashMap.put("client", generateCertificate);
        hashMap.put("server", generateCertificate2);
        TestSslUtils.createKeyStore(createTempFile.getPath(), password, password, "client", generateKeyPair.getPrivate(), generateCertificate);
        TestSslUtils.createKeyStore(createTempFile2.getPath(), password, password, "server", generateKeyPair.getPrivate(), generateCertificate);
        TestSslUtils.createTrustStore(createTempFile3.toString(), password, hashMap);
        this.sslServer.setKeyStorePath(createTempFile2.getPath());
        this.sslServer.setKeyStorePassword(password.value());
        this.sslServer.setTrustStorePath(createTempFile3.getPath());
        this.sslServer.setTrustStorePassword(password.value());
        this.sslServer.setWantClientAuth(true);
        this.sslClient.setKeyStorePath(createTempFile.getPath());
        this.sslClient.setKeyStorePassword(password.value());
        this.sslClient.setTrustStorePath(createTempFile3.getPath());
        this.sslClient.setTrustStorePassword(password.value());
    }

    @Test
    public void testAuthHeaderPropagation() throws Exception {
        ContentResponse send = this.httpClient.newRequest("https://localhost:8090/echoAuthHeader").method(HttpMethod.GET).send();
        Assert.assertEquals(200L, send.getStatus());
        Assert.assertEquals(expectedToken.value(), send.getContentAsString());
    }

    protected static Map<String, Object> validProps() {
        return TestUtils.MapBuilder.of(String.class, Object.class).with("confluent.metadata.bootstrap.server.urls", "http://localhost:8090").with("auth.ssl.principal.mapping.rules", "DEFAULT").with("oauthbearer.expected.issuer", "test").with("oauthbearer.jwks.endpoint.url", "http://localhost:8090").with("authentication.skip.paths", "/path/1").build();
    }
}
