package io.confluent.common.security.auth;

import io.confluent.common.security.auth.MtlsLeaderProxyFilter;
import java.security.Principal;
import javax.servlet.FilterChain;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.kafka.test.TestSslUtils;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.ArgumentCaptor;
import org.mockito.Mockito;

/* loaded from: input_file:io/confluent/common/security/auth/MtlsLeaderProxyFilterTest.class */
public class MtlsLeaderProxyFilterTest {
    private MtlsLeaderProxyFilter filter;
    private LeaderForwardChecker<HttpServletRequest> leaderForwardChecker;
    private TokenProvider<String> tokenProvider;
    private HttpServletRequest request;
    private HttpServletResponse response;
    private FilterChain filterChain;

    @Before
    public void setUp() {
        this.leaderForwardChecker = (LeaderForwardChecker) Mockito.mock(LeaderForwardChecker.class);
        this.tokenProvider = (TokenProvider) Mockito.mock(TokenProvider.class);
        this.filter = new MtlsLeaderProxyFilter(this.leaderForwardChecker, this.tokenProvider);
        this.request = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        this.response = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        this.filterChain = (FilterChain) Mockito.mock(FilterChain.class);
    }

    @Test
    public void testDoFilter_ShouldForwardToLeader() throws Exception {
        CertificatePrincipal certificatePrincipal = new CertificatePrincipal("testUser", TestSslUtils.generateCertificate("CN=testUser", TestSslUtils.generateKeyPair("RSA"), 30, "SHA256withRSA"));
        Mockito.when(Boolean.valueOf(this.leaderForwardChecker.shouldForwardToLeader(this.request))).thenReturn(true);
        Mockito.when(this.request.getHeader("Authorization")).thenReturn((Object) null);
        Mockito.when(this.request.getUserPrincipal()).thenReturn(certificatePrincipal);
        Mockito.when(this.tokenProvider.get("testUser")).thenReturn("testToken");
        this.filter.doFilter(this.request, this.response, this.filterChain);
        ArgumentCaptor forClass = ArgumentCaptor.forClass(MtlsLeaderProxyFilter.MtlsImpersonationRequestWrapper.class);
        ((FilterChain) Mockito.verify(this.filterChain)).doFilter((ServletRequest) forClass.capture(), (ServletResponse) Mockito.eq(this.response));
        Assert.assertEquals("Bearer testToken", ((MtlsLeaderProxyFilter.MtlsImpersonationRequestWrapper) forClass.getValue()).getHeader("Authorization"));
    }

    @Test
    public void testDoFilter_ShouldNotForwardToLeader() throws Exception {
        Mockito.when(Boolean.valueOf(this.leaderForwardChecker.shouldForwardToLeader(this.request))).thenReturn(false);
        this.filter.doFilter(this.request, this.response, this.filterChain);
        ((FilterChain) Mockito.verify(this.filterChain)).doFilter(this.request, this.response);
    }

    @Test
    public void testDoFilter_AuthorizationHeaderAlreadyPresent() throws Exception {
        Mockito.when(Boolean.valueOf(this.leaderForwardChecker.shouldForwardToLeader(this.request))).thenReturn(true);
        Mockito.when(this.request.getHeader("Authorization")).thenReturn("Bearer existingToken");
        this.filter.doFilter(this.request, this.response, this.filterChain);
        ArgumentCaptor forClass = ArgumentCaptor.forClass(HttpServletRequest.class);
        ((FilterChain) Mockito.verify(this.filterChain)).doFilter((ServletRequest) forClass.capture(), (ServletResponse) Mockito.eq(this.response));
        Assert.assertEquals("Bearer existingToken", ((HttpServletRequest) forClass.getValue()).getHeader("Authorization"));
    }

    @Test
    public void testDoFilter_NotCertificatePrincipal() throws Exception {
        Principal principal = (Principal) Mockito.mock(JwtPrincipal.class);
        Mockito.when(Boolean.valueOf(this.leaderForwardChecker.shouldForwardToLeader(this.request))).thenReturn(true);
        Mockito.when(this.request.getHeader("Authorization")).thenReturn((Object) null);
        Mockito.when(this.request.getUserPrincipal()).thenReturn(principal);
        ArgumentCaptor forClass = ArgumentCaptor.forClass(HttpServletRequest.class);
        this.filter.doFilter(this.request, this.response, this.filterChain);
        ((FilterChain) Mockito.verify(this.filterChain)).doFilter((ServletRequest) forClass.capture(), (ServletResponse) Mockito.eq(this.response));
        Assert.assertEquals(principal, ((HttpServletRequest) forClass.getValue()).getUserPrincipal());
    }

    @Test
    public void testDoFilter_TokenProviderReturnsNull() throws Exception {
        CertificatePrincipal certificatePrincipal = new CertificatePrincipal("testUser", TestSslUtils.generateCertificate("CN=testUser", TestSslUtils.generateKeyPair("RSA"), 30, "SHA256withRSA"));
        Mockito.when(Boolean.valueOf(this.leaderForwardChecker.shouldForwardToLeader(this.request))).thenReturn(true);
        Mockito.when(this.request.getHeader("Authorization")).thenReturn((Object) null);
        Mockito.when(this.request.getUserPrincipal()).thenReturn(certificatePrincipal);
        Mockito.when(this.tokenProvider.get("testUser")).thenReturn((Object) null);
        this.filter.doFilter(this.request, this.response, this.filterChain);
        ArgumentCaptor forClass = ArgumentCaptor.forClass(HttpServletRequest.class);
        ((FilterChain) Mockito.verify(this.filterChain)).doFilter((ServletRequest) forClass.capture(), (ServletResponse) Mockito.eq(this.response));
        Assert.assertEquals(certificatePrincipal, ((HttpServletRequest) forClass.getValue()).getUserPrincipal());
    }
}
