package io.confluent.kafka.clients.plugins.auth.oauth;

import io.confluent.security.authentication.credential.BearerCredential;
import io.confluent.security.authentication.oauthbearer.MockJwtSource;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.security.JaasContext;
import org.apache.kafka.common.security.auth.SaslExtensionsCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenRetriever;
import org.apache.kafka.common.security.oauthbearer.internals.secured.ValidateException;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.lang.JoseException;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/oauth/SpireJwtLoginCallbackHandlerTest.class */
public class SpireJwtLoginCallbackHandlerTest {
    private static final String SPIFFE_ID_1 = "spiffe://" + MockJwtSource.SPIRE_TRUST_DOMAIN_1 + "/test-workload";
    private static final String SPIFFE_ID_INVALID = "spife://" + MockJwtSource.SPIRE_TRUST_DOMAIN_1 + "/test-workload";
    private MockSpireJwtLoginCallbackHandler spireJwtLoginCallbackHandler;
    private JwtClaims claims;
    private BearerCredential bearerCredential;

    /* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/oauth/SpireJwtLoginCallbackHandlerTest$MockSpireJwtLoginCallbackHandler.class */
    private class MockSpireJwtLoginCallbackHandler extends SpireJwtLoginCallbackHandler {
        private MockSpireJwtLoginCallbackHandler() {
        }

        protected void initAccessTokenRetriever(String str) {
            ((SpireJwtLoginCallbackHandler) this).accessTokenRetriever = new MockSpireJwtTokenRetriever(str);
        }
    }

    /* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/oauth/SpireJwtLoginCallbackHandlerTest$MockSpireJwtTokenRetriever.class */
    private class MockSpireJwtTokenRetriever implements AccessTokenRetriever {
        public MockSpireJwtTokenRetriever(String str) {
        }

        public String retrieve() {
            return SpireJwtLoginCallbackHandlerTest.this.bearerCredential.bearerToken();
        }
    }

    @BeforeEach
    public void setUp() {
        this.spireJwtLoginCallbackHandler = new MockSpireJwtLoginCallbackHandler();
        this.claims = new JwtClaims();
        this.claims.setIssuer("test.prefix.spire.internal.confluent.cloud");
        this.claims.setSubject(SPIFFE_ID_1);
        this.claims.setExpirationTimeMinutesInTheFuture(60.0f);
        this.claims.setIssuedAt(NumericDate.now());
        try {
            this.bearerCredential = MockJwtSource.createEncodedJws(MockJwtSource.Kid.RSA_SPIRE_1, this.claims);
        } catch (JoseException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    @Test
    public void testConfigurationRaisesExceptionOnWrongMechanism() {
        Map<String, Object> buildClientJassConfigText = buildClientJassConfigText("lkc-test");
        Assertions.assertTrue(((Exception) Assertions.assertThrows(IllegalArgumentException.class, () -> {
            this.spireJwtLoginCallbackHandler.configure(buildClientJassConfigText, "PLAINTEXT", JaasContext.loadClientContext(buildClientJassConfigText).configurationEntries());
        })).getMessage().contains("Unexpected SASL mechanism:"));
    }

    @Test
    public void testConfigurationRaisesExceptionOnMissingJaasConfig() {
        HashMap hashMap = new HashMap();
        hashMap.put("sasl.jaas.config", new Password(""));
        Assertions.assertTrue(((Exception) Assertions.assertThrows(IllegalArgumentException.class, () -> {
            this.spireJwtLoginCallbackHandler.configure(hashMap, "OAUTHBEARER", Collections.emptyList());
        })).getMessage().contains("Must supply exactly 1 non-null JAAS mechanism configuration"));
    }

    @Test
    public void testConfigureRaisesExceptionOnMissingLogicalCluster() {
        Map<String, Object> buildClientJassConfigText = buildClientJassConfigText(null);
        Assertions.assertEquals("Logical cluster for must be set in the JAAS config.", ((Exception) Assertions.assertThrows(ConfigException.class, () -> {
            this.spireJwtLoginCallbackHandler.configure(buildClientJassConfigText, "OAUTHBEARER", JaasContext.loadClientContext(buildClientJassConfigText).configurationEntries());
        })).getMessage());
    }

    @Test
    public void testConfigureRaisesExceptionOnMissingSpireAgentEndPoint() {
        HashMap hashMap = new HashMap();
        hashMap.put("sasl.jaas.config", new Password("org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule Required logicalCluster=\"lkc-test\";"));
        Assertions.assertEquals("The OAuth configuration option sasl.oauthbearer.token.spire.agent.endpoint value must be non-null", ((Exception) Assertions.assertThrows(ConfigException.class, () -> {
            this.spireJwtLoginCallbackHandler.configure(hashMap, "OAUTHBEARER", JaasContext.loadClientContext(hashMap).configurationEntries());
        })).getMessage());
    }

    @Test
    public void testSuccessfulConfiguration() {
        Map<String, Object> buildClientJassConfigText = buildClientJassConfigText("lkc-test");
        Assertions.assertDoesNotThrow(() -> {
            this.spireJwtLoginCallbackHandler.configure(buildClientJassConfigText, "OAUTHBEARER", JaasContext.loadClientContext(buildClientJassConfigText).configurationEntries());
        });
    }

    @Test
    public void testHandleExtensionsCallback() throws IOException, UnsupportedCallbackException {
        Map<String, Object> buildClientJassConfigText = buildClientJassConfigText("lkc-test");
        this.spireJwtLoginCallbackHandler.configure(buildClientJassConfigText, "OAUTHBEARER", JaasContext.loadClientContext(buildClientJassConfigText).configurationEntries());
        Callback saslExtensionsCallback = new SaslExtensionsCallback();
        this.spireJwtLoginCallbackHandler.handle(new Callback[]{saslExtensionsCallback});
        Assertions.assertEquals("lkc-test", saslExtensionsCallback.extensions().map().get("logicalCluster"));
    }

    @Test
    public void testTokenLoginValidationFailure() throws InterruptedException, JoseException {
        Map<String, Object> buildClientJassConfigText = buildClientJassConfigText("lkc-test");
        this.spireJwtLoginCallbackHandler.configure(buildClientJassConfigText, "OAUTHBEARER", JaasContext.loadClientContext(buildClientJassConfigText).configurationEntries());
        OAuthBearerTokenCallback oAuthBearerTokenCallback = new OAuthBearerTokenCallback();
        this.claims.setSubject(SPIFFE_ID_INVALID);
        this.bearerCredential = MockJwtSource.createEncodedJws(MockJwtSource.Kid.RSA_SPIRE_1, this.claims);
        Assertions.assertEquals("sub value must be a spiffe id", ((Exception) Assertions.assertThrows(ValidateException.class, () -> {
            this.spireJwtLoginCallbackHandler.handle(new Callback[]{oAuthBearerTokenCallback});
        })).getMessage());
        this.claims.setSubject(SPIFFE_ID_1);
        this.claims.setExpirationTime(NumericDate.fromMilliseconds(System.currentTimeMillis()));
        Thread.sleep(1000L);
        this.bearerCredential = MockJwtSource.createEncodedJws(MockJwtSource.Kid.RSA_SPIRE_1, this.claims);
        Assertions.assertEquals("Token has expired", ((Exception) Assertions.assertThrows(ValidateException.class, () -> {
            this.spireJwtLoginCallbackHandler.handle(new Callback[]{oAuthBearerTokenCallback});
        })).getMessage());
        this.claims.setExpirationTimeMinutesInTheFuture(60.0f);
        this.claims.setIssuedAt(NumericDate.fromMilliseconds(System.currentTimeMillis() + 1800000));
        this.bearerCredential = MockJwtSource.createEncodedJws(MockJwtSource.Kid.RSA_SPIRE_1, this.claims);
        Assertions.assertEquals("iat has future value", ((Exception) Assertions.assertThrows(ValidateException.class, () -> {
            this.spireJwtLoginCallbackHandler.handle(new Callback[]{oAuthBearerTokenCallback});
        })).getMessage());
        this.claims.setIssuedAt(NumericDate.now());
    }

    @Test
    public void testSuccessfulHandleTokenCallback() throws IOException, UnsupportedCallbackException {
        Map<String, Object> buildClientJassConfigText = buildClientJassConfigText("lkc-test");
        this.spireJwtLoginCallbackHandler.configure(buildClientJassConfigText, "OAUTHBEARER", JaasContext.loadClientContext(buildClientJassConfigText).configurationEntries());
        Callback oAuthBearerTokenCallback = new OAuthBearerTokenCallback();
        this.spireJwtLoginCallbackHandler.handle(new Callback[]{oAuthBearerTokenCallback});
        Assertions.assertEquals(this.bearerCredential.bearerToken(), oAuthBearerTokenCallback.token().value());
    }

    private Map<String, Object> buildClientJassConfigText(String str) {
        String str2 = "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule Required";
        if (str != null && !str.isEmpty()) {
            str2 = str2 + " logicalCluster=\"" + str + '\"';
        }
        HashMap hashMap = new HashMap();
        hashMap.put("sasl.jaas.config", new Password(str2 + ";"));
        hashMap.put("sasl.oauthbearer.token.spire.agent.endpoint", "tcp://0.0.0.0:31523");
        return Collections.unmodifiableMap(hashMap);
    }
}
