package integration.rbacapi.api.v1;

import io.confluent.rbacapi.retrofit.v1.V1RbacRetrofitFactory;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.testing.ldap.client.ExampleComLdapCrud;
import io.confluent.testing.ldap.server.LdapServer;
import io.confluent.tokenapi.entities.AuthenticationResponse;
import java.io.IOException;
import java.util.HashMap;
import org.hamcrest.MatcherAssert;
import org.hamcrest.core.Is;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.testng.Assert;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;
import retrofit2.Response;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;

@Test(groups = {"tokenTests"})
/* loaded from: input_file:integration/rbacapi/api/v1/TokenExpiryTest.class */
public class TokenExpiryTest {
    private LdapServer ldapServer;
    private RbacClusters rbacClusters;
    private int actualMdsPort;
    private String validAuthToken;
    private JwtConsumer jwtConsumer;

    @BeforeClass
    public void setUp() throws Throwable {
        this.ldapServer = LdapServer.defaultServerNoUsers().start();
        int actualPort = this.ldapServer.actualPort();
        new ExampleComLdapCrud(actualPort).createUser("mds");
        this.rbacClusters = new RbacClusters(KafkaConfigTool.ldapWithTokens(actualPort, "mds"));
        this.actualMdsPort = MdsTestUtil.lookupActualMdsPort(this.rbacClusters);
        this.jwtConsumer = new JwtConsumerBuilder().setSkipSignatureVerification().setDisableRequireSignature().setSkipAllValidators().build();
    }

    @AfterClass
    public void tearDown() {
        this.ldapServer.stop();
        this.rbacClusters.shutdown();
        MdsTestUtil.releasePort(this.actualMdsPort);
    }

    @Test
    public void testMexClaimPresence() throws Exception {
        this.validAuthToken = ((AuthenticationResponse) getTokenWithMexTimeoutUsingBasicAuth("28800000").body()).authenticationToken();
        JwtClaims processToClaims = this.jwtConsumer.processToClaims(this.validAuthToken);
        Assert.assertEquals(processToClaims.getIssuer(), "Confluent");
        Assert.assertTrue(processToClaims.hasClaim("mex"));
    }

    @Test
    public void testWhenExpiryTimeIsVeryFarFromMex() throws Exception {
        Response<AuthenticationResponse> tokenWithMexTimeoutUsingBasicAuth = getTokenWithMexTimeoutUsingBasicAuth("28800000");
        this.validAuthToken = ((AuthenticationResponse) tokenWithMexTimeoutUsingBasicAuth.body()).authenticationToken();
        JwtClaims processToClaims = this.jwtConsumer.processToClaims(this.validAuthToken);
        Assert.assertEquals(((AuthenticationResponse) tokenWithMexTimeoutUsingBasicAuth.body()).lifetime(), 21600L);
        Assert.assertEquals(processToClaims.getIssuedAt().getValue() + 21600, processToClaims.getExpirationTime().getValue());
        Response<AuthenticationResponse> tokenWithMexTimeoutUsingTokenAuth = getTokenWithMexTimeoutUsingTokenAuth(this.validAuthToken, "28800000");
        MatcherAssert.assertThat(Boolean.valueOf(tokenWithMexTimeoutUsingTokenAuth.isSuccessful()), Is.is(true));
        MatcherAssert.assertThat(Integer.valueOf(tokenWithMexTimeoutUsingTokenAuth.code()), Is.is(200));
    }

    @Test
    public void testWhenExpiryTimeIsVeryCloseToMex() throws Exception {
        Response<AuthenticationResponse> tokenWithMexTimeoutUsingBasicAuth = getTokenWithMexTimeoutUsingBasicAuth("10000");
        this.validAuthToken = ((AuthenticationResponse) tokenWithMexTimeoutUsingBasicAuth.body()).authenticationToken();
        JwtClaims processToClaims = this.jwtConsumer.processToClaims(this.validAuthToken);
        Assert.assertEquals(((AuthenticationResponse) tokenWithMexTimeoutUsingBasicAuth.body()).lifetime(), 21600L);
        Assert.assertEquals(processToClaims.getIssuedAt().getValue() + 21600, processToClaims.getExpirationTime().getValue());
        Response<AuthenticationResponse> tokenWithMexTimeoutUsingTokenAuth = getTokenWithMexTimeoutUsingTokenAuth(this.validAuthToken, "10000");
        JwtClaims processToClaims2 = this.jwtConsumer.processToClaims(((AuthenticationResponse) tokenWithMexTimeoutUsingTokenAuth.body()).authenticationToken());
        MatcherAssert.assertThat(Boolean.valueOf(tokenWithMexTimeoutUsingTokenAuth.isSuccessful()), Is.is(true));
        MatcherAssert.assertThat(Integer.valueOf(tokenWithMexTimeoutUsingTokenAuth.code()), Is.is(200));
        Assert.assertEquals(((AuthenticationResponse) tokenWithMexTimeoutUsingTokenAuth.body()).lifetime(), ((Long) processToClaims2.getClaimsMap().get("mex")).longValue() - processToClaims2.getIssuedAt().getValue());
        Assert.assertEquals(Long.valueOf(processToClaims2.getExpirationTime().getValue()), processToClaims2.getClaimsMap().get("mex"));
        Thread.sleep(15000L);
        Response<AuthenticationResponse> tokenWithMexTimeoutUsingTokenAuth2 = getTokenWithMexTimeoutUsingTokenAuth(((AuthenticationResponse) tokenWithMexTimeoutUsingTokenAuth.body()).authenticationToken(), "10000");
        MatcherAssert.assertThat(Boolean.valueOf(tokenWithMexTimeoutUsingTokenAuth2.isSuccessful()), Is.is(false));
        MatcherAssert.assertThat(Integer.valueOf(tokenWithMexTimeoutUsingTokenAuth2.code()), Is.is(401));
        Assert.assertEquals(tokenWithMexTimeoutUsingTokenAuth2.message(), "Unauthorized");
    }

    @Test
    public void testMexCannotExceedMaxMexValue() throws Exception {
        Response<AuthenticationResponse> tokenWithMexTimeoutUsingBasicAuth = getTokenWithMexTimeoutUsingBasicAuth("90000000");
        this.validAuthToken = ((AuthenticationResponse) tokenWithMexTimeoutUsingBasicAuth.body()).authenticationToken();
        JwtClaims processToClaims = this.jwtConsumer.processToClaims(this.validAuthToken);
        Assert.assertEquals(((AuthenticationResponse) tokenWithMexTimeoutUsingBasicAuth.body()).lifetime(), 21600L);
        Assert.assertEquals(((Long) processToClaims.getClaimsMap().get("mex")).longValue() - processToClaims.getIssuedAt().getValue(), 86400L);
    }

    @Test
    public void testMexWhenItDoesntExceedMaxMexValue() throws Exception {
        Response<AuthenticationResponse> tokenWithMexTimeoutUsingBasicAuth = getTokenWithMexTimeoutUsingBasicAuth("80000000");
        this.validAuthToken = ((AuthenticationResponse) tokenWithMexTimeoutUsingBasicAuth.body()).authenticationToken();
        JwtClaims processToClaims = this.jwtConsumer.processToClaims(this.validAuthToken);
        Assert.assertEquals(((AuthenticationResponse) tokenWithMexTimeoutUsingBasicAuth.body()).lifetime(), 21600L);
        Assert.assertEquals(((Long) processToClaims.getClaimsMap().get("mex")).longValue() - processToClaims.getIssuedAt().getValue(), 80000L);
    }

    @Test
    public void testMexCannotBeNegative() throws Exception {
        Response<AuthenticationResponse> tokenWithMexTimeoutUsingBasicAuth = getTokenWithMexTimeoutUsingBasicAuth("-45000");
        this.validAuthToken = ((AuthenticationResponse) tokenWithMexTimeoutUsingBasicAuth.body()).authenticationToken();
        JwtClaims processToClaims = this.jwtConsumer.processToClaims(this.validAuthToken);
        Assert.assertEquals(((AuthenticationResponse) tokenWithMexTimeoutUsingBasicAuth.body()).lifetime(), 21600L);
        Assert.assertEquals(((Long) processToClaims.getClaimsMap().get("mex")).longValue() - processToClaims.getIssuedAt().getValue(), 0L);
    }

    @Test
    public void testMexCannotBeNonInteger() throws Exception {
        Assert.assertEquals(getTokenWithMexTimeoutUsingBasicAuth("abcd").code(), 500);
    }

    private Response<AuthenticationResponse> getTokenWithMexTimeoutUsingBasicAuth(String str) throws IOException {
        HashMap hashMap = new HashMap();
        hashMap.put("X-C3-Token-Max-Life", String.valueOf(str));
        return V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, "mds", "mds", hashMap).issueToken().execute();
    }

    private Response<AuthenticationResponse> getTokenWithMexTimeoutUsingTokenAuth(String str, String str2) throws IOException {
        HashMap hashMap = new HashMap();
        hashMap.put("X-C3-Token-Max-Life", String.valueOf(str2));
        return V1RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str, hashMap).issueToken().execute();
    }
}
