package io.confluent.kafka.clients.plugins.auth.token;

import io.confluent.kafka.common.multitenant.oauth.OAuthBearerJwsToken;
import io.confluent.security.auth.client.rest.RestClient;
import io.confluent.security.auth.client.rest.exceptions.RestClientException;
import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.security.auth.callback.Callback;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.security.JaasContext;
import org.apache.kafka.common.security.auth.SaslExtensionsCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import org.jose4j.jwt.JwtClaims;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

/* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/token/TokenBearerLoginCallbackHandlerTest.class */
public class TokenBearerLoginCallbackHandlerTest {
    private OAuthBearerToken token;

    @BeforeEach
    public void setUp() {
        this.token = new OAuthBearerJwsToken("Token", Collections.emptySet(), -1L, "", -1L);
    }

    @Test
    public void testHandleRaisesExceptionIfNotConfigured() {
        TokenBearerLoginCallbackHandler tokenBearerLoginCallbackHandler = new TokenBearerLoginCallbackHandler();
        Assertions.assertThrows(IllegalStateException.class, () -> {
            tokenBearerLoginCallbackHandler.handle(new Callback[]{new SaslExtensionsCallback()});
        });
    }

    @Test
    public void testAttachesAuthTokenToCallback() throws Exception {
        RestClient restClient = (RestClient) Mockito.mock(RestClient.class);
        RestClient restClient2 = (RestClient) Mockito.mock(RestClient.class);
        Mockito.when(restClient2.login()).thenReturn(this.token);
        TokenBearerLoginCallbackHandler tokenBearerLoginCallbackHandler = (TokenBearerLoginCallbackHandler) Mockito.spy(TokenBearerLoginCallbackHandler.class);
        JwtClaims jwtClaims = new JwtClaims();
        ((TokenBearerLoginCallbackHandler) Mockito.doReturn(restClient).when(tokenBearerLoginCallbackHandler)).createRestClient((Map) ArgumentMatchers.any());
        ((TokenBearerLoginCallbackHandler) Mockito.doReturn(restClient2).when(tokenBearerLoginCallbackHandler)).createRestClient((Map) ArgumentMatchers.any());
        ((TokenBearerLoginCallbackHandler) Mockito.doReturn(jwtClaims).when(tokenBearerLoginCallbackHandler)).getCurrentClaims((String) ArgumentMatchers.any());
        Callback oAuthBearerTokenCallback = new OAuthBearerTokenCallback();
        Map<String, Object> buildClientJassConfigText = buildClientJassConfigText("Token", "http://url1.com");
        tokenBearerLoginCallbackHandler.configure(buildClientJassConfigText, "OAUTHBEARER", JaasContext.loadClientContext(buildClientJassConfigText).configurationEntries());
        tokenBearerLoginCallbackHandler.handle(new Callback[]{oAuthBearerTokenCallback});
        Assertions.assertEquals("Token", oAuthBearerTokenCallback.token().value());
        ((TokenBearerLoginCallbackHandler) Mockito.verify(tokenBearerLoginCallbackHandler, Mockito.times(2))).createRestClient((Map) ArgumentMatchers.any());
    }

    @Test
    public void testAttachesAuthUserInfoToCallback() {
        RestClient restClient = (RestClient) Mockito.mock(RestClient.class);
        Mockito.when(restClient.login()).thenReturn(this.token);
        JwtClaims jwtClaims = new JwtClaims();
        TokenBearerLoginCallbackHandler tokenBearerLoginCallbackHandler = (TokenBearerLoginCallbackHandler) Mockito.spy(TokenBearerLoginCallbackHandler.class);
        ((TokenBearerLoginCallbackHandler) Mockito.doReturn(restClient).when(tokenBearerLoginCallbackHandler)).createRestClient((Map) ArgumentMatchers.any());
        ((TokenBearerLoginCallbackHandler) Mockito.doReturn(jwtClaims).when(tokenBearerLoginCallbackHandler)).getCurrentClaims((String) ArgumentMatchers.any());
        Map<String, Object> buildClientJassConfigText = buildClientJassConfigText("user", "password", "http://url1.com");
        Assertions.assertThrows(ConfigException.class, () -> {
            tokenBearerLoginCallbackHandler.configure(buildClientJassConfigText, "OAUTHBEARER", JaasContext.loadClientContext(buildClientJassConfigText).configurationEntries());
        });
    }

    @Test
    public void testCloseOldClientWhenCreatingNewRestClient() {
        RestClient restClient = (RestClient) Mockito.mock(RestClient.class);
        Mockito.when(restClient.login()).thenReturn(this.token);
        JwtClaims jwtClaims = new JwtClaims();
        TokenBearerLoginCallbackHandler tokenBearerLoginCallbackHandler = (TokenBearerLoginCallbackHandler) Mockito.spy(TokenBearerLoginCallbackHandler.class);
        ((TokenBearerLoginCallbackHandler) Mockito.doReturn(restClient).when(tokenBearerLoginCallbackHandler)).createRestClient((Map) ArgumentMatchers.any());
        ((TokenBearerLoginCallbackHandler) Mockito.doReturn(jwtClaims).when(tokenBearerLoginCallbackHandler)).getCurrentClaims((String) ArgumentMatchers.any());
        Map<String, Object> buildClientJassConfigText = buildClientJassConfigText("Token", "http://url1.com");
        tokenBearerLoginCallbackHandler.configure(buildClientJassConfigText, "OAUTHBEARER", JaasContext.loadClientContext(buildClientJassConfigText).configurationEntries());
        ((TokenBearerLoginCallbackHandler) Mockito.verify(tokenBearerLoginCallbackHandler, Mockito.times(1))).createRestClient((Map) ArgumentMatchers.any());
        ((TokenBearerLoginCallbackHandler) Mockito.verify(tokenBearerLoginCallbackHandler, Mockito.times(1))).close();
    }

    @Test
    public void testSanitizeTokenWithMexClaim() throws Exception {
        RestClient restClient = (RestClient) Mockito.mock(RestClient.class);
        Mockito.when(restClient.login()).thenReturn(this.token);
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setClaim("mex", 1000);
        OAuthBearerJwsToken oAuthBearerJwsToken = new OAuthBearerJwsToken("SanitizedToken", Collections.emptySet(), -1L, "", -1L);
        TokenBearerLoginCallbackHandler tokenBearerLoginCallbackHandler = (TokenBearerLoginCallbackHandler) Mockito.spy(TokenBearerLoginCallbackHandler.class);
        ((TokenBearerLoginCallbackHandler) Mockito.doReturn(restClient).when(tokenBearerLoginCallbackHandler)).createRestClient((Map) ArgumentMatchers.any());
        ((TokenBearerLoginCallbackHandler) Mockito.doReturn(jwtClaims).when(tokenBearerLoginCallbackHandler)).getCurrentClaims((String) ArgumentMatchers.any());
        ((TokenBearerLoginCallbackHandler) Mockito.doReturn(oAuthBearerJwsToken).when(tokenBearerLoginCallbackHandler)).sanitizeToken((String) ArgumentMatchers.any(), (Collection) ArgumentMatchers.any());
        Callback oAuthBearerTokenCallback = new OAuthBearerTokenCallback();
        Map<String, Object> buildClientJassConfigText = buildClientJassConfigText("Token", "http://url1.com");
        tokenBearerLoginCallbackHandler.configure(buildClientJassConfigText, "OAUTHBEARER", JaasContext.loadClientContext(buildClientJassConfigText).configurationEntries());
        AtomicBoolean atomicBoolean = new AtomicBoolean(false);
        Mockito.when(tokenBearerLoginCallbackHandler.createRestClient((Map) ArgumentMatchers.any())).then(invocationOnMock -> {
            if ((invocationOnMock.getArguments()[0] instanceof Map) && ((Map) invocationOnMock.getArguments()[0]).get("confluent.metadata.token.auth.credential").equals("SanitizedToken")) {
                atomicBoolean.set(true);
            }
            return restClient;
        });
        tokenBearerLoginCallbackHandler.handle(new Callback[]{oAuthBearerTokenCallback});
        Assertions.assertEquals(Boolean.valueOf(atomicBoolean.get()), true);
        ((TokenBearerLoginCallbackHandler) Mockito.verify(tokenBearerLoginCallbackHandler, Mockito.times(3))).createRestClient((Map) ArgumentMatchers.any());
        ((TokenBearerLoginCallbackHandler) Mockito.verify(tokenBearerLoginCallbackHandler, Mockito.times(3))).close();
    }

    @Test
    public void testSanitizeTokenWithMexClaimException() throws Exception {
        RestClient restClient = (RestClient) Mockito.mock(RestClient.class);
        Mockito.when(restClient.login()).thenReturn(this.token);
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setClaim("mex", 1000);
        new OAuthBearerJwsToken("SanitizedToken", Collections.emptySet(), -1L, "", -1L);
        TokenBearerLoginCallbackHandler tokenBearerLoginCallbackHandler = (TokenBearerLoginCallbackHandler) Mockito.spy(TokenBearerLoginCallbackHandler.class);
        ((TokenBearerLoginCallbackHandler) Mockito.doReturn(restClient).when(tokenBearerLoginCallbackHandler)).createRestClient((Map) ArgumentMatchers.any());
        ((TokenBearerLoginCallbackHandler) Mockito.doReturn(jwtClaims).when(tokenBearerLoginCallbackHandler)).getCurrentClaims((String) ArgumentMatchers.any());
        ((TokenBearerLoginCallbackHandler) Mockito.doThrow(new Throwable[]{new RestClientException("Rest client exception", 500, 10001)}).when(tokenBearerLoginCallbackHandler)).sanitizeToken((String) ArgumentMatchers.any(), (Collection) ArgumentMatchers.any());
        OAuthBearerTokenCallback oAuthBearerTokenCallback = new OAuthBearerTokenCallback();
        Map<String, Object> buildClientJassConfigText = buildClientJassConfigText("Token", "http://url1.com");
        tokenBearerLoginCallbackHandler.configure(buildClientJassConfigText, "OAUTHBEARER", JaasContext.loadClientContext(buildClientJassConfigText).configurationEntries());
        Assertions.assertThrows(IOException.class, () -> {
            tokenBearerLoginCallbackHandler.handle(new Callback[]{oAuthBearerTokenCallback});
        });
        ((TokenBearerLoginCallbackHandler) Mockito.verify(tokenBearerLoginCallbackHandler, Mockito.times(1))).createRestClient((Map) ArgumentMatchers.any());
        ((TokenBearerLoginCallbackHandler) Mockito.verify(tokenBearerLoginCallbackHandler, Mockito.times(1))).close();
    }

    @Test
    public void testConfigureRaisesExceptionOnMissingAuthServiceConfig() {
        TokenBearerLoginCallbackHandler tokenBearerLoginCallbackHandler = new TokenBearerLoginCallbackHandler();
        Map<String, Object> buildClientJassConfigText = buildClientJassConfigText("Token", "");
        Assertions.assertThrows(ConfigException.class, () -> {
            tokenBearerLoginCallbackHandler.configure(buildClientJassConfigText, "OAUTHBEARER", JaasContext.loadClientContext(buildClientJassConfigText).configurationEntries());
        });
    }

    @Test
    public void testConfigureRaisesExceptionOnMissingCredentialsConfig() {
        TokenBearerLoginCallbackHandler tokenBearerLoginCallbackHandler = new TokenBearerLoginCallbackHandler();
        Map<String, Object> buildClientJassConfigText = buildClientJassConfigText(null, "http://url2.com");
        Assertions.assertThrows(ConfigException.class, () -> {
            tokenBearerLoginCallbackHandler.configure(buildClientJassConfigText, "OAUTHBEARER", JaasContext.loadClientContext(buildClientJassConfigText).configurationEntries());
        });
    }

    private Map<String, Object> buildClientJassConfigText(String str, String str2, String str3) {
        String str4 = "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule Required";
        if (str != null && !str.isEmpty()) {
            str4 = str4 + " username=\"" + this.token + "\"";
        }
        if (str2 != null && !str2.isEmpty()) {
            str4 = str4 + " password=\"" + this.token + "\"";
        }
        if (str3 != null && !str3.isEmpty()) {
            str4 = str4 + " metadataServerUrls=\"" + str3 + '\"';
        }
        HashMap hashMap = new HashMap();
        hashMap.put("sasl.jaas.config", new Password(str4 + ";"));
        return Collections.unmodifiableMap(hashMap);
    }

    private Map<String, Object> buildClientJassConfigText(String str, String str2) {
        String str3 = "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule Required";
        if (str != null && !str.isEmpty()) {
            str3 = str3 + " authenticationToken=\"" + str + "\"";
        }
        if (str2 != null && !str2.isEmpty()) {
            str3 = str3 + " metadataServerUrls=\"" + str2 + '\"';
        }
        HashMap hashMap = new HashMap();
        hashMap.put("sasl.jaas.config", new Password(str3 + ";"));
        return Collections.unmodifiableMap(hashMap);
    }
}
