package io.confluent.kafka.clients.plugins.auth.jwt;

import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.lang.JoseException;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/jwt/JwtAuthenticatorTest.class */
public class JwtAuthenticatorTest {
    private static CloseableVerificationKeyResolver keyResolver;
    private static List<String> audiences;
    private static PrivateKey privateKey;
    private JwtClaims claims;
    private static Map<String, Boolean> claimOptions;

    @BeforeAll
    public static void beforeAllSetup() throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        PublicKey publicKey = generateKeyPair.getPublic();
        privateKey = generateKeyPair.getPrivate();
        HashSet hashSet = new HashSet();
        hashSet.add(publicKey);
        keyResolver = new PublicKeyVerificationKeyResolver(new PublicKeyJwks(hashSet));
        audiences = Arrays.asList("aud1", "aud2");
    }

    @BeforeEach
    public void beforeEachSetUp() {
        this.claims = new JwtClaims();
        this.claims.setExpirationTime(NumericDate.fromMilliseconds(System.currentTimeMillis() + 3600000));
        claimOptions = new HashMap();
    }

    @Test
    public void testJtiNotRequiredAndNotPresentInJws() throws JwtVerificationException, JoseException {
        this.claims.setSubject("example");
        this.claims.setAudience("aud1");
        this.claims.setIssuedAt(NumericDate.now());
        this.claims.setIssuer("https://example.com");
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(this.claims.toJson());
        jsonWebSignature.setKey(privateKey);
        jsonWebSignature.setAlgorithmHeaderValue("RS256");
        String compactSerialization = jsonWebSignature.getCompactSerialization();
        claimOptions.put("jtiRequired", false);
        Assertions.assertNotNull(new JwtAuthenticator("https://example.com", keyResolver, audiences, claimOptions).login(compactSerialization));
    }

    @Test
    public void testJtiNotRequiredAndPresentInJws() throws JwtVerificationException, JoseException {
        this.claims.setSubject("example");
        this.claims.setJwtId("testJwtId");
        this.claims.setAudience("aud1");
        this.claims.setIssuedAt(NumericDate.now());
        this.claims.setIssuer("https://example.com");
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(this.claims.toJson());
        jsonWebSignature.setKey(privateKey);
        jsonWebSignature.setAlgorithmHeaderValue("RS256");
        Assertions.assertNotNull(new JwtAuthenticator("https://example.com", keyResolver, audiences, claimOptions).login(jsonWebSignature.getCompactSerialization()));
    }

    @Test
    public void testJtiRequiredAndPresentInJws() throws JoseException, JwtVerificationException {
        this.claims.setSubject("example");
        this.claims.setJwtId("testJwtId");
        this.claims.setAudience("aud1");
        this.claims.setIssuedAt(NumericDate.now());
        this.claims.setIssuer("https://example.com");
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(this.claims.toJson());
        jsonWebSignature.setKey(privateKey);
        jsonWebSignature.setAlgorithmHeaderValue("RS256");
        Assertions.assertNotNull(new JwtAuthenticator("https://example.com", keyResolver, audiences, true).login(jsonWebSignature.getCompactSerialization()));
    }

    @Test
    public void testJtiRequiredAndNotPresentInToken() throws JoseException {
        this.claims.setSubject("example");
        this.claims.setAudience("aud1");
        this.claims.setIssuedAt(NumericDate.now());
        this.claims.setIssuer("https://example.com");
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(this.claims.toJson());
        jsonWebSignature.setKey(privateKey);
        jsonWebSignature.setAlgorithmHeaderValue("RS256");
        String compactSerialization = jsonWebSignature.getCompactSerialization();
        claimOptions.put("jtiRequired", true);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator("https://example.com", keyResolver, audiences, claimOptions);
        Assertions.assertTrue(Assertions.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(compactSerialization);
        }).getMessage().contains("The JWT had no JWT Id {jti} claim but it is configured to be required."));
    }

    @Test
    public void testAudNotConfiguredButPresentInToken() throws JoseException, JwtVerificationException {
        this.claims.setSubject("example");
        this.claims.setIssuedAt(NumericDate.now());
        this.claims.setIssuer("https://example.com");
        this.claims.setJwtId("testJwtId");
        this.claims.setAudience(Arrays.asList("aud1", "aud2"));
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(this.claims.toJson());
        jsonWebSignature.setKey(privateKey);
        jsonWebSignature.setAlgorithmHeaderValue("RS256");
        Assertions.assertNotNull(new JwtAuthenticator("https://example.com", keyResolver, Collections.emptyList(), claimOptions).login(jsonWebSignature.getCompactSerialization()));
    }

    @Test
    public void testIatIsNotRequired() throws JoseException, JwtVerificationException {
        this.claims.setSubject("example");
        this.claims.setAudience("aud1");
        this.claims.setJwtId("testJwtId");
        this.claims.setIssuer("https://example.com");
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(this.claims.toJson());
        jsonWebSignature.setKey(privateKey);
        jsonWebSignature.setAlgorithmHeaderValue("RS256");
        String compactSerialization = jsonWebSignature.getCompactSerialization();
        claimOptions.put("iatRequired", false);
        Assertions.assertNotNull(new JwtAuthenticator("https://example.com", keyResolver, audiences, claimOptions).login(compactSerialization));
    }

    @Test
    public void testIssIsRequired() throws JoseException, JwtVerificationException {
        this.claims.setSubject("example");
        this.claims.setAudience("aud1");
        this.claims.setJwtId("testJwtId");
        this.claims.setIssuedAt(NumericDate.now());
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(this.claims.toJson());
        jsonWebSignature.setKey(privateKey);
        jsonWebSignature.setAlgorithmHeaderValue("RS256");
        String compactSerialization = jsonWebSignature.getCompactSerialization();
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator("https://example.com", keyResolver, audiences, claimOptions);
        Assertions.assertTrue(Assertions.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(compactSerialization);
        }).getMessage().contains("The JWT had no Issuer {iss} claim but it is configured to be required."));
    }

    @Test
    public void testSubIsNotRequiredFromNonConfluentToken() throws JoseException, JwtVerificationException {
        this.claims.setAudience("aud1");
        this.claims.setJwtId("testJwtId");
        this.claims.setIssuer("https://example.com");
        this.claims.setIssuedAt(NumericDate.now());
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(this.claims.toJson());
        jsonWebSignature.setKey(privateKey);
        jsonWebSignature.setAlgorithmHeaderValue("RS256");
        Assertions.assertNotNull(new JwtAuthenticator("https://example.com", keyResolver, audiences, claimOptions).login(jsonWebSignature.getCompactSerialization()));
    }

    @Test
    public void testSubIsRequiredFromConfluentToken() throws JoseException, JwtVerificationException {
        this.claims.setAudience("aud1");
        this.claims.setJwtId("testJwtId");
        this.claims.setIssuer("Confluent");
        this.claims.setIssuedAt(NumericDate.now());
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(this.claims.toJson());
        jsonWebSignature.setKey(privateKey);
        jsonWebSignature.setAlgorithmHeaderValue("RS256");
        String compactSerialization = jsonWebSignature.getCompactSerialization();
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator("Confluent", keyResolver, audiences, claimOptions);
        Assertions.assertTrue(Assertions.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(compactSerialization);
        }).getMessage().contains("The JWT had no Subject {sub} claim but it is configured to be required"));
    }
}
