package io.confluent.common.security.jetty.initializer;

import io.confluent.common.security.auth.MtlsLeaderProxyFilter;
import io.confluent.common.security.jetty.CompositeAuthenticator;
import io.confluent.common.security.jetty.CompositeLoginService;
import io.confluent.common.security.jetty.JwtLoginService;
import io.confluent.common.security.jetty.JwtWithFallbackLoginService;
import io.confluent.common.security.jetty.MultiJwtWithFallbackLoginService;
import io.confluent.common.security.jetty.jwt.JwtBuilder;
import io.confluent.common.security.metrics.MetricsContainer;
import io.confluent.common.security.util.AuthUtils;
import io.confluent.common.security.util.JwtTestUtils;
import io.confluent.common.security.util.JwtUtils;
import io.confluent.common.security.util.TestUtils;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticator;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtVerificationException;
import io.confluent.kafka.clients.plugins.auth.jwt.PublicKeyJwks;
import io.confluent.kafka.clients.plugins.auth.jwt.PublicKeyVerificationKeyResolver;
import io.confluent.security.auth.client.rest.RestClient;
import java.nio.file.Path;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.Arrays;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Map;
import org.apache.commons.lang3.ArrayUtils;
import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.security.SecurityHandler;
import org.eclipse.jetty.servlet.FilterHolder;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.util.security.Constraint;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.hamcrest.CoreMatchers;
import org.hamcrest.Matcher;
import org.hamcrest.MatcherAssert;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.lang.JoseException;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.jupiter.api.Assertions;
import org.junit.rules.TemporaryFolder;
import org.junit.runner.RunWith;
import org.mockito.ArgumentCaptor;
import org.mockito.ArgumentMatchers;
import org.mockito.Captor;
import org.mockito.Mock;
import org.mockito.MockedStatic;
import org.mockito.Mockito;
import org.mockito.junit.MockitoJUnitRunner;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RunWith(MockitoJUnitRunner.class)
/* loaded from: input_file:io/confluent/common/security/jetty/initializer/AuthenticationHandlerTest.class */
public class AuthenticationHandlerTest {
    private static final Logger log = LoggerFactory.getLogger(AuthenticationHandler.class);
    private static final JwtBuilder JWT_BUILDER = new JwtBuilder();
    private static final Constraint NO_AUTH = new Constraint();
    private static final String JWKS_URL = "http://mock-url";
    private static final String EXPECTED_ISSUER = "Confluent";

    @Rule
    public TemporaryFolder tempFolder = new TemporaryFolder();
    static Path pemPath;

    @Mock
    private ServletContextHandler context;

    @Captor
    private ArgumentCaptor<SecurityHandler> securityHandlerArg;

    @Captor
    private ArgumentCaptor<FilterHolder> filterHolderArg;
    private AuthenticationHandler installer;

    @Before
    public void setUp() {
        pemPath = JWT_BUILDER.createJwtPublicKey(this.tempFolder.getRoot().toPath().resolve("public.key"));
        this.installer = new AuthenticationHandler();
    }

    @Test
    public void testSetRealm() {
        this.installer.configure(TestUtils.MapBuilder.of(validProps()).with("authentication.realm", EXPECTED_ISSUER).build());
        this.installer.accept(this.context);
        MatcherAssert.assertThat(assertSecurityHandlerInstalled().getRealmName(), CoreMatchers.is(EXPECTED_ISSUER));
    }

    @Test
    public void testDefaultRolesOnConstraint() {
        this.installer.configure(TestUtils.MapBuilder.of(validProps()).with("authentication.roles", "").build());
        this.installer.accept(this.context);
        ConstraintSecurityHandler assertSecurityHandlerInstalled = assertSecurityHandlerInstalled();
        String[] strArr = ArrayUtils.EMPTY_STRING_ARRAY;
        for (ConstraintMapping constraintMapping : assertSecurityHandlerInstalled.getConstraintMappings()) {
            if (constraintMapping.getPathSpec().equals("/*")) {
                strArr = constraintMapping.getConstraint().getRoles();
            }
        }
        Assert.assertTrue(ArrayUtils.contains(strArr, "**"));
    }

    @Test
    public void testNotRequireSkipPaths() {
        this.installer.configure(TestUtils.MapBuilder.of(validProps()).without("authentication.skip.paths").build());
    }

    @Test
    public void testAddSkipPaths() {
        this.installer.configure(TestUtils.MapBuilder.of(validProps()).with("authentication.skip.paths", "/path/1,/path/2").build());
        this.installer.accept(this.context);
        ConstraintSecurityHandler assertSecurityHandlerInstalled = assertSecurityHandlerInstalled();
        ConstraintMapping constraintMapping = new ConstraintMapping();
        constraintMapping.setConstraint(NO_AUTH);
        constraintMapping.setMethod("*");
        constraintMapping.setPathSpec("/path/1");
        ConstraintMapping constraintMapping2 = new ConstraintMapping();
        constraintMapping2.setConstraint(NO_AUTH);
        constraintMapping2.setMethod("*");
        constraintMapping2.setPathSpec("/path/2");
        MatcherAssert.assertThat(assertSecurityHandlerInstalled.getConstraintMappings(), CoreMatchers.hasItems(new Matcher[]{JwtTestUtils.constraintMapping(constraintMapping), JwtTestUtils.constraintMapping(constraintMapping2)}));
    }

    @Test
    public void testInstallRequiredConstraintCoveringAll() {
        this.installer.configure(TestUtils.MapBuilder.of(validProps()).with("authentication.roles", "team1,team2").build());
        this.installer.accept(this.context);
        ConstraintSecurityHandler assertSecurityHandlerInstalled = assertSecurityHandlerInstalled();
        Constraint constraint = new Constraint();
        constraint.setAuthenticate(true);
        constraint.setRoles(new String[]{"team1", "team2"});
        ConstraintMapping constraintMapping = new ConstraintMapping();
        constraintMapping.setConstraint(constraint);
        constraintMapping.setMethod("*");
        constraintMapping.setPathSpec("/*");
        constraintMapping.getConstraint().setRoles(new String[]{"**"});
        MatcherAssert.assertThat(assertSecurityHandlerInstalled.getConstraintMappings(), CoreMatchers.hasItem(JwtTestUtils.constraintMapping(constraintMapping)));
    }

    @Test
    public void testInstallCompositeAuthenticator() {
        this.installer.configure(validProps());
        this.installer.accept(this.context);
        ConstraintSecurityHandler assertSecurityHandlerInstalled = assertSecurityHandlerInstalled();
        MatcherAssert.assertThat(assertSecurityHandlerInstalled.getAuthenticator(), CoreMatchers.is(CoreMatchers.instanceOf(CompositeAuthenticator.class)));
        MatcherAssert.assertThat(Boolean.valueOf(assertSecurityHandlerInstalled.getAuthenticator().isAllowAnonymousUser()), CoreMatchers.is(false));
    }

    @Test
    public void testAllowAnonymousAuthenticator() {
        this.installer.configure(TestUtils.MapBuilder.of(validProps()).with("auth.allow.anonymous.user", "true").build());
        this.installer.accept(this.context);
        ConstraintSecurityHandler assertSecurityHandlerInstalled = assertSecurityHandlerInstalled();
        MatcherAssert.assertThat(assertSecurityHandlerInstalled.getAuthenticator(), CoreMatchers.is(CoreMatchers.instanceOf(CompositeAuthenticator.class)));
        MatcherAssert.assertThat(Boolean.valueOf(assertSecurityHandlerInstalled.getAuthenticator().isAllowAnonymousUser()), CoreMatchers.is(true));
    }

    @Test
    public void testInstallDefaultIdentifyService() {
        this.installer.configure(validProps());
        this.installer.accept(this.context);
        MatcherAssert.assertThat(assertSecurityHandlerInstalled().getIdentityService(), CoreMatchers.is(CoreMatchers.instanceOf(DefaultIdentityService.class)));
    }

    @Test
    public void testInstallCompositeLoginService() {
        this.installer.configure(validProps());
        this.installer.accept(this.context);
        MatcherAssert.assertThat(assertSecurityHandlerInstalled().getLoginService(), CoreMatchers.is(CoreMatchers.instanceOf(CompositeLoginService.class)));
    }

    @Test
    public void testJwtWithFallBackLoginServiceInstance() {
        this.installer.configure(validProps());
        this.installer.accept(this.context);
        MatcherAssert.assertThat(AuthUtils.createHttpLoginService(this.installer.getConfig(), this.installer.getMetricsContainer(), log), CoreMatchers.is(CoreMatchers.instanceOf(JwtWithFallbackLoginService.class)));
    }

    @Test
    public void testMultiJwtWithFallBackLoginServiceInstance() {
        Map<String, Object> validProps = validProps();
        validProps.put("oauthbearer.jwks.endpoint.url", JWKS_URL);
        validProps.put("oauthbearer.expected.issuer", EXPECTED_ISSUER);
        this.installer.configure(validProps);
        this.installer.accept(this.context);
        MatcherAssert.assertThat(AuthUtils.createHttpLoginService(this.installer.getConfig(), this.installer.getMetricsContainer(), log), CoreMatchers.is(CoreMatchers.instanceOf(MultiJwtWithFallbackLoginService.class)));
    }

    @Test
    public void testMissingLoginCredentials() {
        Map<String, Object> validProps = validProps();
        validProps.remove("public.key.path");
        validProps.remove("confluent.metadata.bootstrap.server.urls");
        this.installer.configure(validProps);
        this.installer.accept(this.context);
        Assert.assertNull(AuthUtils.createHttpLoginService(this.installer.getConfig(), this.installer.getMetricsContainer(), log));
    }

    @Test
    public void testDefaultJTIClaimWithoutJTI() throws JwtVerificationException, JoseException, NoSuchAlgorithmException {
        KeyPair generatKeyPair = generatKeyPair();
        this.installer.configure(validPropsWithIDP());
        this.installer.accept(this.context);
        Assertions.assertNotNull(getMockedLoginService(generatKeyPair.getPublic()).getAuthenticator().login(getCustomSignedJWS(generatKeyPair.getPrivate())));
    }

    @Test
    public void testExplicitlyDisabledJTIClaimWithoutJTI() throws JwtVerificationException, JoseException, NoSuchAlgorithmException {
        KeyPair generatKeyPair = generatKeyPair();
        Map<String, Object> validPropsWithIDP = validPropsWithIDP();
        validPropsWithIDP.put("oauthbearer.jti.validation.enabled", "false");
        this.installer.configure(validPropsWithIDP);
        this.installer.accept(this.context);
        Assertions.assertNotNull(getMockedLoginService(generatKeyPair.getPublic()).getAuthenticator().login(getCustomSignedJWS(generatKeyPair.getPrivate())));
    }

    @Test
    public void testExplicitlyDisabledJTIClaimWithJTI() throws JwtVerificationException, JoseException, NoSuchAlgorithmException {
        KeyPair generatKeyPair = generatKeyPair();
        Map<String, Object> validPropsWithIDP = validPropsWithIDP();
        validPropsWithIDP.put("oauthbearer.jti.validation.enabled", "false");
        this.installer.configure(validPropsWithIDP);
        this.installer.accept(this.context);
        Assertions.assertNotNull(getMockedLoginService(generatKeyPair.getPublic()).getAuthenticator().login(getCustomSignedJWS(generatKeyPair.getPrivate(), true)));
    }

    @Test
    public void testExplicitlyEnabledJTIClaimWithoutJTI() throws JwtVerificationException, JoseException, NoSuchAlgorithmException {
        KeyPair generatKeyPair = generatKeyPair();
        Map<String, Object> validPropsWithIDP = validPropsWithIDP();
        validPropsWithIDP.put("oauthbearer.jti.validation.enabled", "true");
        this.installer.configure(validPropsWithIDP);
        this.installer.accept(this.context);
        JwtAuthenticator authenticator = getMockedLoginService(generatKeyPair.getPublic()).getAuthenticator();
        Assertions.assertTrue(Assertions.assertThrows(JwtVerificationException.class, () -> {
            authenticator.login(getCustomSignedJWS(generatKeyPair.getPrivate()));
        }).getMessage().contains("The JWT had no JWT Id {jti} claim but it is configured to be required."));
    }

    @Test
    public void testExplicitlyEnabledJTIClaimWithJTI() throws JwtVerificationException, JoseException, NoSuchAlgorithmException {
        KeyPair generatKeyPair = generatKeyPair();
        Map<String, Object> validPropsWithIDP = validPropsWithIDP();
        validPropsWithIDP.put("oauthbearer.jti.validation.enabled", "true");
        this.installer.configure(validPropsWithIDP);
        this.installer.accept(this.context);
        Assertions.assertNotNull(getMockedLoginService(generatKeyPair.getPublic()).getAuthenticator().login(getCustomSignedJWS(generatKeyPair.getPrivate(), true)));
    }

    @Test
    public void testAddsMTLSProxyFilter() {
        Map<String, Object> validProps = validProps();
        RestClient restClient = (RestClient) Mockito.mock(RestClient.class);
        AuthenticationHandler authenticationHandler = (AuthenticationHandler) Mockito.spy(AuthenticationHandler.class);
        ((AuthenticationHandler) Mockito.doReturn(restClient).when(authenticationHandler)).createRestClient((Map) ArgumentMatchers.any());
        authenticationHandler.configure(validProps);
        authenticationHandler.accept(this.context);
        ((ServletContextHandler) Mockito.verify(this.context)).addFilter((FilterHolder) this.filterHolderArg.capture(), (String) ArgumentMatchers.any(), (EnumSet) ArgumentMatchers.any());
        Assert.assertEquals(MtlsLeaderProxyFilter.class, ((FilterHolder) this.filterHolderArg.getValue()).getHeldClass());
    }

    @Test
    public void testSkipsMTLSProxyFilter() {
        Map<String, Object> validProps = validProps();
        AuthenticationHandler authenticationHandler = (AuthenticationHandler) Mockito.spy(AuthenticationHandler.class);
        ((AuthenticationHandler) Mockito.doReturn((Object) null).when(authenticationHandler)).createRestClient((Map) ArgumentMatchers.any());
        authenticationHandler.configure(validProps);
        authenticationHandler.accept(this.context);
        ((ServletContextHandler) Mockito.verify(this.context, Mockito.never())).addFilter((FilterHolder) ArgumentMatchers.any(), (String) ArgumentMatchers.any(), (EnumSet) ArgumentMatchers.any());
    }

    @Test
    public void testConditionalConstraintSecurityHandler() {
        Map<String, Object> validProps = validProps();
        validProps.put("expose.internal.connect.endpoints", "true");
        AuthenticationHandler authenticationHandler = (AuthenticationHandler) Mockito.spy(AuthenticationHandler.class);
        ((AuthenticationHandler) Mockito.doReturn((Object) null).when(authenticationHandler)).createRestClient((Map) ArgumentMatchers.any());
        authenticationHandler.configure(validProps);
        ArgumentCaptor forClass = ArgumentCaptor.forClass(ConstraintSecurityHandler.class);
        ((ServletContextHandler) Mockito.doNothing().when(this.context)).setSecurityHandler((SecurityHandler) forClass.capture());
        authenticationHandler.accept(this.context);
        ConstraintSecurityHandler constraintSecurityHandler = (ConstraintSecurityHandler) forClass.getValue();
        Assertions.assertNotNull(constraintSecurityHandler);
        Assert.assertTrue(constraintSecurityHandler instanceof ConnectConstraintSecurityHandler);
        validProps.remove("expose.internal.connect.endpoints");
        authenticationHandler.configure(validProps);
        authenticationHandler.accept(this.context);
        ConstraintSecurityHandler constraintSecurityHandler2 = (ConstraintSecurityHandler) forClass.getValue();
        Assertions.assertNotNull(constraintSecurityHandler2);
        Assert.assertTrue(constraintSecurityHandler2 instanceof ConstraintSecurityHandler);
        ((ServletContextHandler) Mockito.verify(this.context, Mockito.never())).addFilter((FilterHolder) ArgumentMatchers.any(), (String) ArgumentMatchers.any(), (EnumSet) ArgumentMatchers.any());
    }

    protected static Map<String, Object> validProps() {
        return TestUtils.MapBuilder.of(String.class, Object.class).with("confluent.metadata.bootstrap.server.urls", "http://localhost:8090").with("public.key.path", pemPath.toString()).with("auth.ssl.principal.mapping.rules", "DEFAULT").with("authentication.skip.paths", "/path/1").build();
    }

    private static Map<String, Object> validPropsWithIDP() {
        Map<String, Object> validProps = validProps();
        validProps.put("oauthbearer.jwks.endpoint.url", JWKS_URL);
        validProps.put("oauthbearer.expected.issuer", EXPECTED_ISSUER);
        validProps.remove("public.key.path");
        return validProps;
    }

    private ConstraintSecurityHandler assertSecurityHandlerInstalled() {
        ((ServletContextHandler) Mockito.verify(this.context)).setSecurityHandler((SecurityHandler) this.securityHandlerArg.capture());
        return (ConstraintSecurityHandler) this.securityHandlerArg.getValue();
    }

    private PublicKeyVerificationKeyResolver getPublicKeyResolver(PublicKey publicKey) throws NoSuchAlgorithmException {
        HashSet hashSet = new HashSet();
        hashSet.add(publicKey);
        return new PublicKeyVerificationKeyResolver(new PublicKeyJwks(hashSet));
    }

    private KeyPair generatKeyPair() throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        return keyPairGenerator.generateKeyPair();
    }

    private JwtClaims getCustomClaims(boolean z) {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setAudience("aud1");
        jwtClaims.setSubject("example");
        jwtClaims.setIssuer(EXPECTED_ISSUER);
        jwtClaims.setExpirationTime(NumericDate.fromMilliseconds(System.currentTimeMillis() + 3600000));
        jwtClaims.setIssuedAt(NumericDate.now());
        if (z) {
            jwtClaims.setJwtId("jti");
        }
        return jwtClaims;
    }

    private String getCustomSignedJWS(PrivateKey privateKey) throws JoseException {
        return getCustomSignedJWS(privateKey, false);
    }

    private String getCustomSignedJWS(PrivateKey privateKey, Boolean bool) throws JoseException {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(getCustomClaims(bool.booleanValue()).toJson());
        jsonWebSignature.setKey(privateKey);
        jsonWebSignature.setAlgorithmHeaderValue("RS256");
        return jsonWebSignature.getCompactSerialization();
    }

    private JwtLoginService getMockedLoginService(PublicKey publicKey) throws NoSuchAlgorithmException {
        PublicKeyVerificationKeyResolver publicKeyResolver = getPublicKeyResolver(publicKey);
        MockedStatic mockStatic = Mockito.mockStatic(JwtUtils.class);
        Throwable th = null;
        try {
            try {
                mockStatic.when(() -> {
                    JwtUtils.getJwtKeyResolver(JWKS_URL, (String) null, (SslContextFactory) null);
                }).thenReturn(publicKeyResolver);
                JwtLoginService idpJwtLoginService = AuthUtils.getIdpJwtLoginService(EXPECTED_ISSUER, EXPECTED_ISSUER, Arrays.asList("aud1"), "sub", "group", this.installer.getConfig(), (MetricsContainer) null);
                if (mockStatic != null) {
                    if (0 != 0) {
                        try {
                            mockStatic.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        mockStatic.close();
                    }
                }
                return idpJwtLoginService;
            } finally {
            }
        } catch (Throwable th3) {
            if (mockStatic != null) {
                if (th != null) {
                    try {
                        mockStatic.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    mockStatic.close();
                }
            }
            throw th3;
        }
    }

    static {
        NO_AUTH.setAuthenticate(false);
    }
}
