package io.confluent.kafka.clients.plugins.auth.jwt;

import io.confluent.security.fixtures.jwt.TestJwkProvider;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.jose4j.http.Response;
import org.jose4j.http.SimpleGet;
import org.jose4j.http.SimpleResponse;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwk.PublicJsonWebKey;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.jose4j.lang.UnresolvableKeyException;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/jwt/ValidationKeyResolverTest.class */
public final class ValidationKeyResolverTest {

    /* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/jwt/ValidationKeyResolverTest$MockHttpGet.class */
    public static class MockHttpGet implements SimpleGet {
        private final TestJwkProvider jwks;

        public MockHttpGet(TestJwkProvider testJwkProvider) {
            this.jwks = testJwkProvider;
        }

        public SimpleResponse get(String str) {
            return new Response(200, "OK", Collections.singletonMap("Content-Type", Collections.singletonList("application/json")), this.jwks.getJsonWebKeySet().toJson());
        }
    }

    @Test
    public void testVerificationKeyResolverUnknownKid() {
        VerificationKeyResolver newKeyResolver = newKeyResolver(newHttpsJwks(new TestJwkProvider()), true);
        Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            newKeyResolver.resolveKey(newRsaJws("mysteryKID"), Collections.emptyList());
        });
    }

    @Test
    public void testVerificationKeyResolverKnownKid() throws Exception {
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        PublicJsonWebKey createJwkIfAbsent = testJwkProvider.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        VerificationKeyResolver newKeyResolver = newKeyResolver(newHttpsJwks, true);
        newHttpsJwks.syncRefresh();
        Assertions.assertEquals(createJwkIfAbsent.getKey(), newKeyResolver.resolveKey(newRsaJws("k1"), Collections.emptyList()));
    }

    @Test
    public void testVerificationKeyResolverNoKidSingleJwkDisambiguateJwkTrue() throws Exception {
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        PublicJsonWebKey createJwkIfAbsent = testJwkProvider.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        VerificationKeyResolver newKeyResolver = newKeyResolver(newHttpsJwks, true);
        newHttpsJwks.syncRefresh();
        Assertions.assertEquals(createJwkIfAbsent.getKey(), newKeyResolver.resolveKey(newRsaJws(""), Collections.emptyList()));
    }

    @Test
    public void testVerificationKeyResolverNoKidMultiJwk() throws Exception {
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        testJwkProvider.createJwkIfAbsent("k1");
        testJwkProvider.createJwkIfAbsent("k2");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        VerificationKeyResolver newKeyResolver = newKeyResolver(newHttpsJwks, true);
        newHttpsJwks.syncRefresh();
        Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            newKeyResolver.resolveKey(newRsaJws(""), Collections.emptyList());
        });
    }

    @Test
    public void testAmbiguousVerificationKeyNoKidKnownAlg() throws Exception {
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        PublicJsonWebKey createJwkIfAbsent = testJwkProvider.createJwkIfAbsent("");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        VerificationKeyResolver newKeyResolver = newKeyResolver(newHttpsJwks, false);
        newHttpsJwks.syncRefresh();
        Assertions.assertEquals(createJwkIfAbsent.getKey(), newKeyResolver.resolveKey(newRsaJws(""), Collections.emptyList()));
    }

    @Test
    public void testAmbiguousVerificationKeyUnknownKidKnownAlg() {
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        testJwkProvider.createJwkIfAbsent("validKid");
        VerificationKeyResolver newKeyResolver = newKeyResolver(newHttpsJwks(testJwkProvider), false);
        Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            newKeyResolver.resolveKey(newRsaJws("invalidKid"), Collections.emptyList());
        });
    }

    @Test
    public void testAmbiguousVerificationKeyNoKidUnknownAlg() {
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        testJwkProvider.createJwkIfAbsent("");
        VerificationKeyResolver newKeyResolver = newKeyResolver(newHttpsJwks(testJwkProvider), false);
        Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            newKeyResolver.resolveKey(newEcsJws(""), Collections.emptyList());
        });
    }

    @Test
    public void testAmbiguousVerificationKeyValidKidUnknownAlg() {
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        testJwkProvider.createJwkIfAbsent("k1");
        VerificationKeyResolver newKeyResolver = newKeyResolver(newHttpsJwks(testJwkProvider), false);
        Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            newKeyResolver.resolveKey(newEcsJws("k1"), Collections.emptyList());
        });
    }

    @Test
    public void testJkuVerificationKey() throws Exception {
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        PublicJsonWebKey createJwkIfAbsent = testJwkProvider.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        JkuVerificationKeyResolver jkuVerificationKeyResolver = new JkuVerificationKeyResolver(str -> {
            return newHttpsJwks;
        }, Collections.singletonList("localhost"), false, false);
        newHttpsJwks.syncRefresh();
        Assertions.assertEquals(createJwkIfAbsent.getKey(), jkuVerificationKeyResolver.resolveKey(newRsaJws("k1"), Collections.emptyList()));
    }

    @Test
    public void testJkuVerificationKeyRelativeDomain() {
        List singletonList = Collections.singletonList(".localhost.com");
        Assertions.assertTrue(JkuVerificationKeyResolver.hasValidJkuDomain(singletonList, "https", "https://test.localhost.com:8090"), String.format("%s should be valid with domain whitelist %s", "https://test.localhost.com:8090", singletonList));
        Assertions.assertTrue(JkuVerificationKeyResolver.hasValidJkuDomain(singletonList, "https", "https://testing.1.2.3.localhost.com:8090"), String.format("%s should be valid with domain whitelist %s", "https://testing.1.2.3.localhost.com:8090", singletonList));
        Assertions.assertFalse(JkuVerificationKeyResolver.hasValidJkuDomain(singletonList, "https", "https://test.not_localhost.com:8090"), String.format("%s should be invalid with domain whitelist %s", "https://test.not_localhost.com:8090", singletonList));
        Assertions.assertFalse(JkuVerificationKeyResolver.hasValidJkuDomain(singletonList, "https", "https://test.localhost:8090"), String.format("%s should be invalid with domain whitelist %s", "https://test.localhost:8090", singletonList));
        Assertions.assertFalse(JkuVerificationKeyResolver.hasValidJkuDomain(Collections.singletonList(".localhost.com"), "https", "https://test.localhost:8090"), String.format("%s should be invalid with domain whitelist %s", "https://test.localhost:8090", singletonList));
    }

    @Test
    public void testJkuVerificationKeyInvalidDomain() {
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        testJwkProvider.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        JkuVerificationKeyResolver jkuVerificationKeyResolver = new JkuVerificationKeyResolver(str -> {
            return newHttpsJwks;
        }, Collections.singletonList("mysteryIssuer"), false, true);
        newHttpsJwks.syncRefresh();
        Assertions.assertTrue(Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            jkuVerificationKeyResolver.resolveKey(newRsaJws("k1"), Collections.emptyList());
        }).getLocalizedMessage().startsWith("Invalid jku:"));
    }

    @Test
    public void testJkuVerificationKeyEmptyDomainWhitelist() {
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        testJwkProvider.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        Assertions.assertThrows(ConfigException.class, () -> {
            new JkuVerificationKeyResolver(str -> {
                return newHttpsJwks;
            }, Collections.emptyList(), false, true);
        });
    }

    @Test
    public void testJkuVerificationKeyShutdown() throws IOException {
        JkuVerificationKeyResolver jkuVerificationKeyResolver = new JkuVerificationKeyResolver(Collections.singletonList("localhost"), true);
        jkuVerificationKeyResolver.close();
        Assertions.assertThrows(IllegalStateException.class, () -> {
            jkuVerificationKeyResolver.resolveKey(newRsaJws("k1"), Collections.emptyList());
        });
    }

    @Test
    public void testAsyncHttpsJwksVerificationKeyResolverShutdown() throws IOException {
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        testJwkProvider.createJwkIfAbsent("k1");
        AsyncHttpsJwksVerificationKeyResolver asyncHttpsJwksVerificationKeyResolver = new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks(testJwkProvider));
        asyncHttpsJwksVerificationKeyResolver.close();
        Assertions.assertThrows(IllegalStateException.class, () -> {
            asyncHttpsJwksVerificationKeyResolver.resolveKey(newRsaJws("k1"), Collections.emptyList());
        });
    }

    @Test
    public void testAudVerificationValidAud() throws Exception {
        ArrayList arrayList = new ArrayList();
        arrayList.add("kafka");
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        Assertions.assertEquals("test", new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks(testJwkProvider), true), arrayList, false).login(buildJws(buildJwt("test", "kafka"), testJwkProvider.createJwkIfAbsent("k1")).getCompactSerialization()).principalName());
    }

    @Test
    public void testJwtAuthenticatorExtractSignature() throws Exception {
        ArrayList arrayList = new ArrayList();
        arrayList.add("kafka");
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        OAuthBearerToken login = new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks(testJwkProvider), true), arrayList, false).login(buildJws(buildJwt("test", "kafka"), testJwkProvider.createJwkIfAbsent("k1")).getCompactSerialization());
        Assertions.assertEquals(JwtAuthenticator.extractSignature(login), login.value().split("\\.")[2]);
    }

    @Test
    public void testJwtAuthenticatorExtractEmptySignature() throws Exception {
        JwtClaims buildJwt = buildJwt("test", "kafka");
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setAlgorithmHeaderValue("none");
        jsonWebSignature.setAlgorithmConstraints(AlgorithmConstraints.NO_CONSTRAINTS);
        jsonWebSignature.setPayload(buildJwt.toJson());
        Assertions.assertTrue(JwtAuthenticator.extractSignature(new UnverifiedJwtBearerToken(jsonWebSignature.getCompactSerialization())).isEmpty());
    }

    @Test
    public void testAudVerificationMultiAudMatch() throws Exception {
        ArrayList arrayList = new ArrayList();
        arrayList.add("kafka");
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        Assertions.assertEquals("test", new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks(testJwkProvider), true), arrayList, false).login(buildJws(buildJwt("test", "kafka", "notKafka"), testJwkProvider.createJwkIfAbsent("k1")).getCompactSerialization()).principalName());
    }

    @Test
    public void testAudVerificationMultiAudInJwtAuthenticatorMatch() throws Exception {
        ArrayList arrayList = new ArrayList(Arrays.asList("kafka", "notKafka"));
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        Assertions.assertEquals("test", new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks(testJwkProvider), true), arrayList, false).login(buildJws(buildJwt("test", "kafka"), testJwkProvider.createJwkIfAbsent("k1")).getCompactSerialization()).principalName());
    }

    @Test
    public void testAudVerificationMultiAudInAuthenticatorAndMultiAudInJwtMatch() throws Exception {
        ArrayList arrayList = new ArrayList(Arrays.asList("kafka", "notKafka"));
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        Assertions.assertEquals("test", new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks(testJwkProvider), true), arrayList, false).login(buildJws(buildJwt("test", "kafka", "test"), testJwkProvider.createJwkIfAbsent("k1")).getCompactSerialization()).principalName());
    }

    @Test
    public void testAudVerificationMultiAudInJwtAuthenticatorNoMatch() throws Exception {
        ArrayList arrayList = new ArrayList(Arrays.asList("kafka", "notKafka"));
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        PublicJsonWebKey createJwkIfAbsent = testJwkProvider.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        JsonWebSignature buildJws = buildJws(buildJwt("test", "error", "error1"), createJwkIfAbsent);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true), arrayList, false);
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(buildJws.getCompactSerialization());
        });
    }

    @Test
    public void testAudVerificationEmptyAudWithEmptyAudInAuthenticatorAndJwt() throws Exception {
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        PublicJsonWebKey createJwkIfAbsent = testJwkProvider.createJwkIfAbsent("k1");
        Assertions.assertEquals("test", new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks(testJwkProvider), true)).login(buildJws(buildJwt("test", new String[0]), createJwkIfAbsent).getCompactSerialization()).principalName());
    }

    @Test
    public void testAudVerificationEmptyAudWithEmptyAudInAuthenticator() throws Exception {
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        PublicJsonWebKey createJwkIfAbsent = testJwkProvider.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        JsonWebSignature buildJws = buildJws(buildJwt("test", "kafka"), createJwkIfAbsent);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true));
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(buildJws.getCompactSerialization());
        });
    }

    @Test
    public void testAudVerificationEmptyAudWithMultiAudInAuthenticator() throws Exception {
        ArrayList arrayList = new ArrayList(Arrays.asList("kafka", "notKafka"));
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        Assertions.assertEquals("test", new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks(testJwkProvider), true), arrayList, false).login(buildJws(buildJwt("test", new String[0]), testJwkProvider.createJwkIfAbsent("k1")).getCompactSerialization()).principalName());
    }

    @Test
    public void testAudVerificationEmptyAudWithMultiAudInAuthenticatorAndAudRequired() throws Exception {
        ArrayList arrayList = new ArrayList(Arrays.asList("kafka", "notKafka"));
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        PublicJsonWebKey createJwkIfAbsent = testJwkProvider.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        JsonWebSignature buildJws = buildJws(buildJwt("test", new String[0]), createJwkIfAbsent);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true), arrayList, true);
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(buildJws.getCompactSerialization());
        });
    }

    @Test
    public void testAudVerificationMultiAudInAuthenticatorAndAudRequired() throws Exception {
        ArrayList arrayList = new ArrayList(Arrays.asList("kafka", "notKafka"));
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        Assertions.assertEquals("test", new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks(testJwkProvider), true), arrayList, true).login(buildJws(buildJwt("test", "kafka"), testJwkProvider.createJwkIfAbsent("k1")).getCompactSerialization()).principalName());
    }

    @Test
    public void testAudVerificationMultiAudInAuthenticatorAndAudRequiredNoMatch() throws Exception {
        ArrayList arrayList = new ArrayList(Arrays.asList("kafka", "notKafka"));
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        PublicJsonWebKey createJwkIfAbsent = testJwkProvider.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        JsonWebSignature buildJws = buildJws(buildJwt("test", "error"), createJwkIfAbsent);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true), arrayList, true);
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(buildJws.getCompactSerialization());
        });
    }

    @Test
    public void testAudVerificationNoAudInAuthenticatorAndAudRequiredNoMatch() throws Exception {
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        PublicJsonWebKey createJwkIfAbsent = testJwkProvider.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        JsonWebSignature buildJws = buildJws(buildJwt("test", "error"), createJwkIfAbsent);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true), (List) null, true);
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(buildJws.getCompactSerialization());
        });
    }

    @Test
    public void testAudVerificationNoAudInAuthenticatorAndNoAudAndAudRequiredMatch() throws Exception {
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        PublicJsonWebKey createJwkIfAbsent = testJwkProvider.createJwkIfAbsent("k1");
        Assertions.assertEquals("test", new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks(testJwkProvider), true), (List) null, true).login(buildJws(buildJwt("test", new String[0]), createJwkIfAbsent).getCompactSerialization()).principalName());
    }

    @Test
    public void testAudVerificationMultiAudNoMatch() throws Exception {
        ArrayList arrayList = new ArrayList(Arrays.asList("kafka"));
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        PublicJsonWebKey createJwkIfAbsent = testJwkProvider.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        JsonWebSignature buildJws = buildJws(buildJwt("test", "notKafka", "alsoNotKafka"), createJwkIfAbsent);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true), arrayList, false);
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(buildJws.getCompactSerialization());
        });
    }

    @Test
    public void testAudVerificationNullAud() throws Exception {
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        PublicJsonWebKey createJwkIfAbsent = testJwkProvider.createJwkIfAbsent("k1");
        Assertions.assertEquals("test", new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks(testJwkProvider), true), (List) null, false).login(buildJws(buildJwt("test", new String[0]), createJwkIfAbsent).getCompactSerialization()).principalName());
    }

    @Test
    public void testAudVerificationEmptyAud() throws Exception {
        ArrayList arrayList = new ArrayList(Arrays.asList("kafka"));
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        PublicJsonWebKey createJwkIfAbsent = testJwkProvider.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        JwtClaims buildJwt = buildJwt("test", new String[0]);
        buildJwt.setAudience(Collections.emptyList());
        JsonWebSignature buildJws = buildJws(buildJwt, createJwkIfAbsent);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true), arrayList, false);
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(buildJws.getCompactSerialization());
        });
    }

    @Test
    public void testAudVerificationInvalidAud() {
        ArrayList arrayList = new ArrayList(Arrays.asList("kafka"));
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        PublicJsonWebKey createJwkIfAbsent = testJwkProvider.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        JsonWebSignature buildJws = buildJws(buildJwt("test", "notKafka"), createJwkIfAbsent);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true), arrayList, false);
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(buildJws.getCompactSerialization());
        });
    }

    @Test
    public void testJwtAuthenticatorRotatedValidationKey() throws Exception {
        ArrayList arrayList = new ArrayList(Arrays.asList("kafka"));
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        PublicJsonWebKey createJwkIfAbsent = testJwkProvider.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true), arrayList, false);
        String compactSerialization = buildJws(buildJwt("test", "kafka"), createJwkIfAbsent).getCompactSerialization();
        jwtAuthenticator.login(compactSerialization);
        testJwkProvider.rotateJwk("k1");
        newHttpsJwks.syncRefresh();
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(compactSerialization);
        });
    }

    @Test
    public void testJwtAuthenticatorNewValidationKey() throws Exception {
        ArrayList arrayList = new ArrayList(Arrays.asList("kafka"));
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        testJwkProvider.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true), arrayList, false);
        JwtClaims buildJwt = buildJwt("test", "kafka");
        PublicJsonWebKey generateRsaJwk = testJwkProvider.generateRsaJwk("newKid");
        JsonWebSignature buildJws = buildJws(buildJwt, generateRsaJwk);
        String compactSerialization = buildJws.getCompactSerialization();
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(compactSerialization);
        });
        testJwkProvider.registerJwk(generateRsaJwk);
        newHttpsJwks.syncRefresh();
        Assertions.assertEquals("test", jwtAuthenticator.login(buildJws.getCompactSerialization()).principalName());
    }

    @Test
    public void testJwtAuthenticatorRevokedValidationKey() throws Exception {
        ArrayList arrayList = new ArrayList(Arrays.asList("kafka"));
        TestJwkProvider testJwkProvider = new TestJwkProvider();
        testJwkProvider.createJwkIfAbsent("k1");
        testJwkProvider.createJwkIfAbsent("k2");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(testJwkProvider);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator("https://localhost", new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true), arrayList, false);
        JwtClaims buildJwt = buildJwt("test", "kafka");
        String compactSerialization = buildJws(buildJwt, testJwkProvider.createJwkIfAbsent("k1")).getCompactSerialization();
        JsonWebSignature buildJws = buildJws(buildJwt, testJwkProvider.createJwkIfAbsent("k2"));
        OAuthBearerToken login = jwtAuthenticator.login(compactSerialization);
        testJwkProvider.deleteJwk("k1");
        newHttpsJwks.syncRefresh();
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(compactSerialization);
        });
        newHttpsJwks.syncRefresh();
        OAuthBearerToken login2 = jwtAuthenticator.login(buildJws.getCompactSerialization());
        Assertions.assertEquals("test", login.principalName());
        Assertions.assertEquals("test", login2.principalName());
    }

    private static JsonWebSignature newRsaJws(String str) {
        return newJws(str, "RS256");
    }

    private static JsonWebSignature newEcsJws(String str) {
        return newJws(str, "ES256");
    }

    private static JsonWebSignature newJws(String str, String str2) {
        Objects.requireNonNull(str);
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setAlgorithmHeaderValue(str2);
        jsonWebSignature.setHeader("jku", "https://localhost/jwks.json");
        if (!str.isEmpty()) {
            jsonWebSignature.setKeyIdHeaderValue(str);
        }
        return jsonWebSignature;
    }

    private static VerificationKeyResolver newKeyResolver(AsyncHttpsJwks asyncHttpsJwks, boolean z) {
        return new AsyncHttpsJwksVerificationKeyResolver(asyncHttpsJwks, z);
    }

    private static AsyncHttpsJwks newHttpsJwks(TestJwkProvider testJwkProvider) {
        AsyncHttpsJwks asyncHttpsJwks = new AsyncHttpsJwks(new MockHttpGet(testJwkProvider), "https://localhost/jwks.json", true, 0L);
        asyncHttpsJwks.setRefreshReprieveThreshold(0L);
        asyncHttpsJwks.syncRefresh();
        return asyncHttpsJwks;
    }

    private JwtClaims buildJwt(String str, String... strArr) {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer("https://localhost");
        jwtClaims.setSubject(str);
        if (strArr.length > 0) {
            jwtClaims.setAudience(strArr);
        }
        jwtClaims.setIssuedAt(NumericDate.now());
        jwtClaims.setExpirationTimeMinutesInTheFuture(10.0f);
        jwtClaims.setGeneratedJwtId();
        return jwtClaims;
    }

    private JsonWebSignature buildJws(JwtClaims jwtClaims, PublicJsonWebKey publicJsonWebKey) {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        if (!publicJsonWebKey.getKeyId().isEmpty()) {
            jsonWebSignature.setKeyIdHeaderValue(publicJsonWebKey.getKeyId());
        }
        jsonWebSignature.setAlgorithmHeaderValue(publicJsonWebKey.getAlgorithm());
        jsonWebSignature.setKey(publicJsonWebKey.getPrivateKey());
        jsonWebSignature.setHeader("jku", "https://localhost/jwks.json");
        jsonWebSignature.setAlgorithmConstraints(AlgorithmConstraints.NO_CONSTRAINTS);
        jsonWebSignature.setPayload(jwtClaims.toJson());
        return jsonWebSignature;
    }
}
