package io.confluent.common.security.jetty;

import io.confluent.common.security.jetty.initializer.AuthenticationHandler;
import io.confluent.common.security.jetty.jwt.JwtBuilder;
import io.confluent.common.security.util.AuthUtils;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.stream.Stream;
import javax.servlet.ServletRequest;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

/* loaded from: input_file:io/confluent/common/security/jetty/ImpersonationTokenCertificateValidationTest.class */
public class ImpersonationTokenCertificateValidationTest {
    private LoginService mockHttpLoginService;
    private LoginService mockX509LoginService;
    private ServletRequest mockRequest;
    private CompositeLoginService compositeLoginService;
    private static final JwtBuilder JWT_BUILDER = new JwtBuilder();

    @Rule
    public ExpectedException exceptionRule = ExpectedException.none();

    @Before
    public void setup() {
        this.mockHttpLoginService = (LoginService) Mockito.mock(LoginService.class);
        this.mockX509LoginService = (LoginService) Mockito.mock(LoginService.class);
        this.mockHttpLoginService.setIdentityService((IdentityService) ArgumentMatchers.any());
        this.mockX509LoginService.setIdentityService((IdentityService) ArgumentMatchers.any());
        this.mockRequest = (ServletRequest) Mockito.spy(ServletRequest.class);
    }

    @Test
    public void testCompositeLoginImpersonateTokenHappyPathValidation() throws Exception {
        Mockito.when(this.mockRequest.getAttribute("io.confluent.useJWTLoginService")).thenReturn(true);
        testImpersonationCall("CN=Test,O=Confluent,C=US", true, true);
        ((CompositeLoginService) Mockito.verify(this.compositeLoginService, Mockito.times(1))).validateImpersonationIdentity("CN=Test,O=Confluent,C=US", this.mockRequest);
        Mockito.reset(new CompositeLoginService[]{this.compositeLoginService});
        testImpersonationCall("CN=Test,O=Confluent,C=US", false, true);
        ((CompositeLoginService) Mockito.verify(this.compositeLoginService, Mockito.times(0))).validateImpersonationIdentity("CN=Test,O=Confluent,C=US", this.mockRequest);
    }

    @Test
    public void testCompositeLoginImpersonateTokenMultipleCertificates() throws Exception {
        Mockito.when(this.mockRequest.getAttribute("io.confluent.useJWTLoginService")).thenReturn(true);
        testImpersonationCall("CN=Test CA,O=Confluent,C=US", true, true);
        ((CompositeLoginService) Mockito.verify(this.compositeLoginService, Mockito.times(1))).validateImpersonationIdentity("CN=Test CA,O=Confluent,C=US", this.mockRequest);
    }

    @Test
    public void testCompositeLoginImpersonateTokenFailValidation() throws Exception {
        this.exceptionRule.expect(RuntimeException.class);
        this.exceptionRule.expectMessage("Impersonation token validation failed. None of the certificate principal matches the proxy principal : something-else");
        Mockito.when(this.mockRequest.getAttribute("io.confluent.useJWTLoginService")).thenReturn(true);
        testImpersonationCall("something-else", true, true);
        ((CompositeLoginService) Mockito.verify(this.compositeLoginService, Mockito.times(1))).validateImpersonationIdentity("Test", this.mockRequest);
    }

    @Test
    public void testCompositeLoginImpersonateTokenShouldNotValidateBasicToken() throws Exception {
        testImpersonationCall("CN=Test,O=Confluent,C=US", true, true);
        ((CompositeLoginService) Mockito.verify(this.compositeLoginService, Mockito.times(0))).validateImpersonationIdentity("CN=Test,O=Confluent,C=US", this.mockRequest);
    }

    @Test
    public void testCompositeLoginImpersonateTokenHappyPathWithTokenValidationSkipped() throws Exception {
        Mockito.when(this.mockRequest.getAttribute("io.confluent.useJWTLoginService")).thenReturn(true);
        testImpersonationCall("something-else", true, false);
        ((CompositeLoginService) Mockito.verify(this.compositeLoginService, Mockito.times(0))).validateImpersonationIdentity("something-else", this.mockRequest);
        Mockito.reset(new CompositeLoginService[]{this.compositeLoginService});
        testImpersonationCall("something-else", false, false);
        ((CompositeLoginService) Mockito.verify(this.compositeLoginService, Mockito.times(0))).validateImpersonationIdentity("something-else", this.mockRequest);
    }

    private void testImpersonationCall(String str, boolean z, boolean z2) throws Exception {
        HashMap hashMap = new HashMap();
        if (z) {
            hashMap.put("ssl.client.authentication", "REQUIRED");
        }
        if (!z2) {
            hashMap.put("token.impersonation.validation", "false");
        }
        AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig = new AuthenticationHandler.SecurityHandlerConfig(hashMap);
        this.compositeLoginService = (CompositeLoginService) Mockito.spy(new CompositeLoginService(this.mockHttpLoginService, this.mockX509LoginService, AuthUtils.isClientAuthEnabled(securityHandlerConfig), AuthUtils.impersonationTokenValidation(securityHandlerConfig)));
        Map<String, Object> singletonMap = Collections.singletonMap("cp_proxy", str);
        X509Certificate[] loadCertificateChain = loadCertificateChain("/certificates/test.p12", "changeit", "test");
        String buildJwt = JWT_BUILDER.buildJwt(singletonMap, "c1");
        Mockito.when(this.mockRequest.getAttribute("javax.servlet.request.X509Certificate")).thenReturn(loadCertificateChain);
        this.compositeLoginService.login("test", buildJwt, this.mockRequest);
    }

    private X509Certificate[] loadCertificateChain(String str, String str2, String str3) throws Exception {
        KeyStore keyStore = KeyStore.getInstance("pkcs12");
        keyStore.load(getClass().getResourceAsStream(str), str2.toCharArray());
        Stream stream = Arrays.stream(keyStore.getCertificateChain(str3));
        Class<X509Certificate> cls = X509Certificate.class;
        X509Certificate.class.getClass();
        return (X509Certificate[]) stream.map((v1) -> {
            return r1.cast(v1);
        }).toArray(i -> {
            return new X509Certificate[i];
        });
    }
}
