package io.confluent.common.security.jetty;

import io.confluent.common.security.jetty.jwt.JwtBuilder;
import io.confluent.common.security.util.JwtUtils;
import io.confluent.kafka.clients.plugins.auth.jwt.CloseableVerificationKeyResolver;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticator;
import io.confluent.kafka.server.plugins.auth.token.IdentityProviderService;
import io.confluent.security.authentication.http.HttpClient;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.security.Key;
import java.security.PublicKey;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import javax.servlet.ServletRequest;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.Form;
import org.apache.kafka.common.config.ConfigException;
import org.eclipse.jetty.server.HttpChannel;
import org.eclipse.jetty.server.HttpInput;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.UserIdentity;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;
import org.jose4j.lang.UnresolvableKeyException;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.jupiter.api.Assertions;
import org.junit.rules.TemporaryFolder;

/* loaded from: input_file:io/confluent/common/security/jetty/JwtLoginServiceTest.class */
public class JwtLoginServiceTest {
    private static final JwtBuilder JWT_BUILDER = new JwtBuilder();
    private static final JwtBuilder DIFFERENT_JWT_BUILDER = new JwtBuilder();
    private static final String CORRECT_ROLES = "clusters";
    private static final String CORRECT_ISSUER = "Confluent";
    private static final String CORRECT_SUBJECT = "franz";
    private static final String ORG_RESOURCE_ID_VALUE = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";

    @Rule
    public final TemporaryFolder tempFolder = new TemporaryFolder();
    private String validJwt;
    private Path pemPath;
    private Path pemDir;
    private PublicKey publicKey;
    private IdentityProviderService idp;
    private HttpClient httpClient;

    @Before
    public void setup() throws Exception {
        this.pemDir = this.tempFolder.newFolder().toPath();
        this.pemPath = JWT_BUILDER.createJwtPublicKey(this.pemDir.resolve("0.pem"));
        this.publicKey = JWT_BUILDER.getJwtPublicKey();
        this.validJwt = JWT_BUILDER.buildJwt("cp12", "cp42");
        this.idp = new IdentityProviderService();
        this.idp.start();
        this.httpClient = HttpClient.builder().build();
    }

    @After
    public void tearDown() throws Exception {
        if (this.idp != null) {
            this.idp.shutdown();
        }
        if (this.httpClient != null) {
            this.httpClient.close();
        }
    }

    @Test
    public void testValidJwt() throws Exception {
        testValidateJwt(givenLoginServiceWithPemPath(this.pemPath));
        testValidateJwt(givenLoginServiceWithPublicKey(this.publicKey));
    }

    private void testValidateJwt(JwtLoginService jwtLoginService) throws Exception {
        UserIdentity login = jwtLoginService.login((String) null, this.validJwt, (ServletRequest) null);
        Assert.assertNotNull(login);
        Assert.assertEquals(CORRECT_SUBJECT, login.getUserPrincipal().getName());
        Assert.assertEquals(this.validJwt, login.getUserPrincipal().getJwt());
        Assert.assertTrue(login.isUserInRole("cp42", (UserIdentity.Scope) null));
        Assert.assertTrue(login.isUserInRole("cp12", (UserIdentity.Scope) null));
    }

    @Test
    public void testValidIdPJwt() throws Exception {
        String jwtFromIdp = getJwtFromIdp();
        UserIdentity login = getLoginServiceWithJwks(this.idp.getJwksEndpoint(), this.idp.getIssuer(), null, null, Collections.singletonList("account")).login((String) null, jwtFromIdp, (ServletRequest) null);
        Assert.assertNotNull(login);
        Assert.assertEquals("app1-developer", login.getUserPrincipal().getName());
        Assert.assertEquals(jwtFromIdp, login.getUserPrincipal().getJwt());
    }

    @Test
    public void testJwtSubClaimName() throws Exception {
        String jwtFromIdp = getJwtFromIdp();
        UserIdentity login = getLoginServiceWithJwks(this.idp.getJwksEndpoint(), this.idp.getIssuer(), "preferred_username", null, Collections.singletonList("account")).login((String) null, jwtFromIdp, (ServletRequest) null);
        Assert.assertNotNull(login);
        Assert.assertEquals("service-account-app1-developer", login.getUserPrincipal().getName());
        Assert.assertEquals(jwtFromIdp, login.getUserPrincipal().getJwt());
        Assert.assertNull(login.getUserPrincipal().getGroupsClaimName());
    }

    @Test
    public void testIdpJwtGroupsClaimName() throws Exception {
        String jwtFromIdp = getJwtFromIdp();
        UserIdentity login = getLoginServiceWithJwks(this.idp.getJwksEndpoint(), this.idp.getIssuer(), null, "groups", Collections.singletonList("account")).login((String) null, jwtFromIdp, (ServletRequest) null);
        Assert.assertNotNull(login);
        Assert.assertEquals("app1-developer", login.getUserPrincipal().getName());
        Assert.assertEquals(jwtFromIdp, login.getUserPrincipal().getJwt());
        Assert.assertEquals("groups", login.getUserPrincipal().getGroupsClaimName());
        Set groupsFromJwtPrincipal = JwtUtils.getGroupsFromJwtPrincipal(login.getUserPrincipal());
        Assert.assertEquals(1L, groupsFromJwtPrincipal.size());
        Assert.assertTrue(groupsFromJwtPrincipal.contains("/g4"));
    }

    @Test
    public void testInvalidGroupsClaimName() throws Exception {
        UserIdentity login = getLoginServiceWithJwks(this.idp.getJwksEndpoint(), this.idp.getIssuer(), null, "preferred_username", Collections.singletonList("account")).login((String) null, getJwtFromIdp(), (ServletRequest) null);
        Assert.assertNotNull(login);
        try {
            JwtUtils.getGroupsFromJwtPrincipal(login.getUserPrincipal());
            Assertions.fail("Expected IllegalArgumentException since groups claim is not a list of String");
        } catch (IllegalArgumentException e) {
            Assert.assertEquals("Unexpected type of groups in jwt. Expected type: interface java.util.List, Actual type: class java.lang.String", e.getMessage());
        }
    }

    @Test
    public void testJwtInvalidAudClaim() throws Exception {
        Assert.assertNull(getLoginServiceWithJwks(this.idp.getJwksEndpoint(), this.idp.getIssuer(), null, null, Collections.singletonList("differentAud")).login((String) null, getJwtFromIdp(), (ServletRequest) null));
    }

    @Test
    public void testInvalidIssuer() throws Exception {
        testInvalidIssuer(givenLoginServiceWithIssuer(this.pemPath.toString(), "ACME Inc."));
        testInvalidIssuer(givenLoginServiceWithIssuer(Arrays.asList(this.publicKey), "ACME Inc."));
    }

    private void testInvalidIssuer(JwtLoginService jwtLoginService) throws Exception {
        Assert.assertNull(jwtLoginService.login((String) null, this.validJwt, (ServletRequest) null));
    }

    @Test
    public void testNullIssuer() throws Exception {
        Assertions.assertThrows(IllegalArgumentException.class, () -> {
            testNullIssuer(givenLoginServiceWithIssuer(this.pemPath.toString(), (String) null));
        });
    }

    private void testNullIssuer(JwtLoginService jwtLoginService) throws Exception {
        Assert.assertNotNull(jwtLoginService.login((String) null, this.validJwt, (ServletRequest) null));
    }

    @Test
    public void testNullRoles() throws Exception {
        testNullRoles(givenLoginServiceWithRoles(this.pemPath.toString(), (String) null));
    }

    private void testNullRoles(JwtLoginService jwtLoginService) throws Exception {
        Assert.assertNotNull(jwtLoginService.login((String) null, this.validJwt, (ServletRequest) null));
    }

    @Test
    public void testMissingSubject() throws Exception {
        testMissingSubject(givenLoginServiceWithPemPath(this.pemPath));
    }

    private void testMissingSubject(JwtLoginService jwtLoginService) throws Exception {
        JwtClaims validClaims = validClaims();
        validClaims.setSubject((String) null);
        Assert.assertNull(jwtLoginService.login((String) null, JWT_BUILDER.buildJwt(validClaims), (ServletRequest) null));
    }

    @Test
    public void testMissingJwtId() throws Exception {
        testMissingJwtId(givenLoginServiceWithPemPath(this.pemPath));
        testMissingJwtId(givenLoginServiceWithPublicKey(JWT_BUILDER.getJwtPublicKey()));
    }

    private void testMissingJwtId(JwtLoginService jwtLoginService) throws Exception {
        JwtClaims validClaims = validClaims();
        validClaims.setJwtId((String) null);
        Assert.assertNull(jwtLoginService.login((String) null, JWT_BUILDER.buildJwt(validClaims), (ServletRequest) null));
    }

    @Test
    public void testExpiredToken() throws Exception {
        testExpiredToken(givenLoginServiceWithPemPath(this.pemPath));
    }

    private void testExpiredToken(JwtLoginService jwtLoginService) throws Exception {
        Assert.assertNull(jwtLoginService.login((String) null, JWT_BUILDER.buildJwt(-1000L, null, "cp12", "cp42"), (ServletRequest) null));
    }

    @Test
    public void testMissingRolesClaim() throws Exception {
        testMissingRolesClaim(givenLoginServiceWithRoles(this.pemPath.toString(), "otherclaim"));
    }

    private void testMissingRolesClaim(JwtLoginService jwtLoginService) throws Exception {
        UserIdentity login = jwtLoginService.login((String) null, this.validJwt, (ServletRequest) null);
        Assert.assertNotNull(login);
        Assert.assertFalse(login.isUserInRole("cp42", (UserIdentity.Scope) null));
    }

    @Test(expected = ConfigException.class)
    public void testThrowsOnStartIfNoPublicKeys() throws Exception {
        givenLoginServiceWithPemPath(this.pemDir.getParent());
    }

    @Test
    public void testSupportMultipleKeyPaths() throws Exception {
        DIFFERENT_JWT_BUILDER.createJwtPublicKey(this.pemDir.resolve("1.pem"));
        String buildJwt = DIFFERENT_JWT_BUILDER.buildJwt("c1");
        JwtLoginService givenLoginServiceWithPemPath = givenLoginServiceWithPemPath(this.pemDir);
        Assert.assertNotNull(givenLoginServiceWithPemPath.login((String) null, this.validJwt, (ServletRequest) null));
        Assert.assertNotNull(givenLoginServiceWithPemPath.login((String) null, buildJwt, (ServletRequest) null));
    }

    @Test
    public void testSupportMultiplePublicKeys() throws Exception {
        DIFFERENT_JWT_BUILDER.createJwtPublicKey(this.pemDir.resolve("1.pem"));
        String buildJwt = DIFFERENT_JWT_BUILDER.buildJwt("c1");
        JwtLoginService givenLoginServiceWithPublicKey = givenLoginServiceWithPublicKey(this.publicKey, DIFFERENT_JWT_BUILDER.getJwtPublicKey());
        Assert.assertNotNull(givenLoginServiceWithPublicKey.login((String) null, this.validJwt, (ServletRequest) null));
        Assert.assertNotNull(givenLoginServiceWithPublicKey.login((String) null, buildJwt, (ServletRequest) null));
    }

    @Test
    public void testFailsIfTokenInvalid() throws Exception {
        testFailsIfTokenInvalid(givenLoginServiceWithPemPath(this.pemPath));
    }

    private void testFailsIfTokenInvalid(JwtLoginService jwtLoginService) throws Exception {
        Assert.assertNull(jwtLoginService.login((String) null, "12o842jfishjsbf", (ServletRequest) null));
    }

    @Test
    public void testFailsIfTokenNotSignedWithPublicKey() throws Exception {
        testFailsIfTokenNotSignedWithPublicKey(givenLoginServiceWithPemPath(this.pemPath));
    }

    @Test
    public void testFailsIfTokenNotSignedWithJwks() throws Exception {
        Assert.assertNull(getLoginServiceWithJwks(this.idp.getJwksEndpoint(), this.idp.getIssuer(), null, null, Collections.singletonList("account")).login((String) null, JWT_BUILDER.buildJwt("lkc-1234"), (ServletRequest) null));
    }

    @Test
    public void testOrgResourceIdInJwtToken() throws Exception {
        testOrgResourceIdInJwtToken(givenLoginServiceWithPemPath(this.pemPath));
    }

    private void testOrgResourceIdInJwtToken(JwtLoginService jwtLoginService) throws Exception {
        String buildJwt = JWT_BUILDER.buildJwt(ORG_RESOURCE_ID_VALUE, TimeUnit.HOURS.toMillis(1L), null, "cp12", "cp42");
        Request request = new Request((HttpChannel) null, (HttpInput) null);
        Assert.assertNotNull(jwtLoginService.login((String) null, buildJwt, request));
        Assert.assertTrue("Verify org resource id is set in HttpServletRequest", ORG_RESOURCE_ID_VALUE.equals(request.getAttribute("orgResourceId")));
    }

    @Test
    public void testOrgResourceIdNotInJwtToken() throws Exception {
        testOrgResourceIdNotInJwtToken(givenLoginServiceWithPemPath(this.pemPath));
    }

    private void testOrgResourceIdNotInJwtToken(JwtLoginService jwtLoginService) throws Exception {
        Request request = new Request((HttpChannel) null, (HttpInput) null);
        Assert.assertNotNull(jwtLoginService.login((String) null, this.validJwt, request));
        Assert.assertTrue("Verify org resource id not set in HttpServletRequest", request.getAttribute("orgResourceId").toString().isEmpty());
    }

    @Test
    public void testJwtTokenIsInstanceOfOAuthBearerJwsToken() throws Exception {
        UserIdentity login = givenLoginServiceWithPublicKey(this.publicKey).login((String) null, this.validJwt, (ServletRequest) null);
        Assert.assertNotNull(login);
        Assert.assertEquals(this.validJwt, login.getUserPrincipal().getJwt());
        Assert.assertEquals(login.getUserPrincipal().jwtClaims().get("iss"), CORRECT_ISSUER);
    }

    private void testFailsIfTokenNotSignedWithPublicKey(JwtLoginService jwtLoginService) throws Exception {
        Assert.assertNull(jwtLoginService.login((String) null, DIFFERENT_JWT_BUILDER.buildJwt("c1"), (ServletRequest) null));
    }

    private JwtLoginService givenLoginServiceWithIssuer(String str, String str2) throws Exception {
        return givenLoginServiceWith(str2, null, str, CORRECT_ROLES);
    }

    private JwtLoginService givenLoginServiceWithIssuer(List<PublicKey> list, String str) throws Exception {
        return givenLoginServiceWith(str, list, null, CORRECT_ROLES);
    }

    private JwtLoginService givenLoginServiceWithRoles(String str, String str2) throws Exception {
        return givenLoginServiceWith(CORRECT_ISSUER, null, str, str2);
    }

    private JwtLoginService givenLoginServiceWithRoles(List<PublicKey> list, String str) throws Exception {
        return givenLoginServiceWith(CORRECT_ISSUER, list, "", str);
    }

    private JwtLoginService givenLoginServiceWithPemPath(Path path) throws Exception {
        return givenLoginServiceWith(CORRECT_ISSUER, null, path.toString(), CORRECT_ROLES);
    }

    private JwtLoginService givenLoginServiceWithPublicKey(PublicKey... publicKeyArr) throws Exception {
        return givenLoginServiceWith(CORRECT_ISSUER, Arrays.asList(publicKeyArr), "", CORRECT_ROLES);
    }

    private JwtLoginService getLoginServiceWithJwks(String str, String str2, String str3, String str4, List<String> list) throws Exception {
        JwtLoginService jwtLoginService = new JwtLoginService((String) null, new JwtAuthenticator(str2, createJwksVerificationKeyResolver(new HttpsJwks(str)), list, false), str3, str4);
        jwtLoginService.doStart();
        return jwtLoginService;
    }

    private CloseableVerificationKeyResolver createJwksVerificationKeyResolver(HttpsJwks httpsJwks) {
        final HttpsJwksVerificationKeyResolver httpsJwksVerificationKeyResolver = new HttpsJwksVerificationKeyResolver(httpsJwks);
        return new CloseableVerificationKeyResolver() { // from class: io.confluent.common.security.jetty.JwtLoginServiceTest.1
            public Key resolveKey(JsonWebSignature jsonWebSignature, List<JsonWebStructure> list) throws UnresolvableKeyException {
                return httpsJwksVerificationKeyResolver.resolveKey(jsonWebSignature, list);
            }

            public void close() {
            }
        };
    }

    private JwtLoginService givenLoginServiceWith(String str, List<PublicKey> list, String str2, String str3) throws Exception {
        JwtLoginService jwtLoginService = list != null ? new JwtLoginService((String) null, str, list, str3) : new JwtLoginService((String) null, str, str2, str3);
        jwtLoginService.doStart();
        return jwtLoginService;
    }

    private static JwtClaims validClaims() {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer(CORRECT_ISSUER);
        jwtClaims.setExpirationTime(NumericDate.fromMilliseconds(100000L));
        jwtClaims.setJwtId("000-111-222-333");
        jwtClaims.setStringListClaim(CORRECT_ROLES, new String[]{"c1"});
        jwtClaims.setSubject(CORRECT_SUBJECT);
        return jwtClaims;
    }

    private String getJwtFromIdp() throws ExecutionException, InterruptedException {
        return (String) this.httpClient.target(URI.create(this.idp.getTokenEndpoint())).request().header("Authorization", "Basic " + Base64.getEncoder().encodeToString("app1-developer:app1-developer".getBytes(StandardCharsets.UTF_8))).accept(new String[]{"application/json"}).rx().post(Entity.entity(new Form().param("grant_type", "client_credentials"), "application/x-www-form-urlencoded")).thenApply(response -> {
            return (Map) response.readEntity(Map.class);
        }).thenApply(map -> {
            return (String) map.get("access_token");
        }).toCompletableFuture().get();
    }
}
