package integration.sso.oidc;

import com.fasterxml.jackson.databind.JsonNode;
import com.github.tomakehurst.wiremock.WireMockServer;
import com.github.tomakehurst.wiremock.client.WireMock;
import dasniko.testcontainers.keycloak.KeycloakContainer;
import io.confluent.oidc.exceptions.TokenResponseException;
import io.confluent.rbacapi.entities.AuthorizeRequest;
import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.retrofit.v1.V1RbacRestApi;
import io.confluent.rbacapi.retrofit.v1.V1RbacRetrofitFactory;
import io.confluent.security.authentication.http.HttpClient;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.test.utils.RbacClusters;
import java.io.FileReader;
import java.io.IOException;
import java.net.URI;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.spec.X509EncodedKeySpec;
import java.time.Duration;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.ws.rs.core.Response;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.openssl.PEMParser;
import org.eclipse.jetty.http.DateGenerator;
import org.hamcrest.Matcher;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.hamcrest.core.Is;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.junit.Assert;
import org.openqa.selenium.By;
import org.openqa.selenium.Cookie;
import org.openqa.selenium.WebDriver;
import org.openqa.selenium.htmlunit.HtmlUnitDriver;
import org.openqa.selenium.support.ui.ExpectedConditions;
import org.openqa.selenium.support.ui.WebDriverWait;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;
import retrofit2.Response;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;

@Test(groups = {"classParallelTests"})
/* loaded from: input_file:integration/sso/oidc/V1OidcApiTest.class */
public class V1OidcApiTest {
    private KeycloakContainer keycloak;
    private RbacClusters.Config rbacConfig;
    private RbacClusters rbacClusters;
    private int actualMdsPort;
    private HttpClient httpClient;
    private Scope mdsKafkaCluster;

    @BeforeClass
    public void setUp() throws Throwable {
        this.httpClient = HttpClient.builder().build();
        String property = System.getProperty("os.arch");
        String property2 = System.getProperty("os.name");
        if ((property == null || !property.startsWith("arm64")) && (property == null || property2 == null || !property.startsWith("x86_64") || !property2.contains("Mac"))) {
            System.out.println("Initializing keycloak for amd64 architecture");
            this.keycloak = new KeycloakContainer("quay.io/keycloak/keycloak:17.0.0-legacy").withRealmImportFile("sso/keycloak-cp-sso-realm.json");
        } else {
            System.out.println("Initializing keycloak for arm64 architecture");
            this.keycloak = new KeycloakContainer("mihaibob/keycloak:17.0.0-legacy").withRealmImportFile("sso/keycloak-cp-sso-realm.json");
        }
        System.out.println("Starting Keycloak server. This may take few seconds.");
        this.keycloak.start();
        System.out.println("Keycloak server started at: " + this.keycloak.getAuthServerUrl());
        this.rbacConfig = KafkaConfigTool.hashWithTokensAndOidc("mds", Arrays.asList("mds", "mds"), getOidcConfigs());
        this.rbacClusters = new RbacClusters(this.rbacConfig);
        this.mdsKafkaCluster = Scope.kafkaClusterScope(this.rbacClusters.metadataClusterId());
        this.actualMdsPort = MdsTestUtil.lookupActualMdsPort(this.rbacClusters);
    }

    @AfterClass
    public void tearDown() {
        this.rbacClusters.shutdown();
        MdsTestUtil.releasePort(this.actualMdsPort);
        this.keycloak.stop();
    }

    @Test
    public void testGetIdpAuthUri() throws Exception {
        validateIdpAuthUriResponse(V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + this.actualMdsPort, false).getOidcIdpAuthUri(String.format("%s:%d/", MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, Integer.valueOf(this.actualMdsPort))).execute(), String.format("%s:%d/security/1.0/oidc/authorization-code/callback", MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, Integer.valueOf(this.actualMdsPort)));
    }

    @Test
    public void testAuthenticateFlow() throws Exception {
        String format = String.format("%s:%d/security/1.0/oidc/authenticate?caller=%s:%d/", MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, Integer.valueOf(this.actualMdsPort), MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, Integer.valueOf(this.actualMdsPort));
        HtmlUnitDriver htmlUnitDriver = new HtmlUnitDriver();
        fillFormAndLogin(htmlUnitDriver, format);
        Cookie cookieNamed = htmlUnitDriver.manage().getCookieNamed("auth_token");
        htmlUnitDriver.quit();
        MatcherAssert.assertThat(cookieNamed, Matchers.notNullValue());
        MatcherAssert.assertThat(Integer.valueOf(cookieNamed.getValue().length()), Matchers.greaterThan(1));
        JwtClaims verifyAuthTokenAndGetClaims = verifyAuthTokenAndGetClaims(cookieNamed.getValue());
        MatcherAssert.assertThat(verifyAuthTokenAndGetClaims.getClaimValue("groups"), Matchers.instanceOf(List.class));
        MatcherAssert.assertThat((List) verifyAuthTokenAndGetClaims.getClaimValue("groups"), Matchers.containsInAnyOrder(new Matcher[]{Is.is("/g1"), Is.is("/g3/g33")}));
        V1RbacRestApi build = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + this.actualMdsPort, false);
        Response execute = build.checkSessionAndRefreshToken("auth_token=" + cookieNamed.getValue()).execute();
        MatcherAssert.assertThat(Integer.valueOf(execute.code()), Is.is(200));
        String authTokenFromCookies = getAuthTokenFromCookies((List) execute.headers().toMultimap().get("set-cookie"));
        MatcherAssert.assertThat(execute.body(), Matchers.notNullValue());
        JwtClaims verifyAuthTokenAndGetClaims2 = verifyAuthTokenAndGetClaims(cookieNamed.getValue());
        MatcherAssert.assertThat(verifyAuthTokenAndGetClaims2.getClaimValue("groups"), Matchers.instanceOf(List.class));
        MatcherAssert.assertThat((List) verifyAuthTokenAndGetClaims2.getClaimValue("groups"), Matchers.containsInAnyOrder(new Matcher[]{Is.is("/g1"), Is.is("/g3/g33")}));
        Assert.assertNotEquals(cookieNamed.getValue(), authTokenFromCookies);
        Response execute2 = build.logout("auth_token=" + authTokenFromCookies).execute();
        MatcherAssert.assertThat(Integer.valueOf(execute2.code()), Is.is(200));
        Map multimap = execute2.headers().toMultimap();
        MatcherAssert.assertThat(Integer.valueOf(((List) multimap.get("set-cookie")).size()), Is.is(1));
        MatcherAssert.assertThat(((List) multimap.get("set-cookie")).get(0), Matchers.matchesPattern("auth_token=; HttpOnly; Secure; Path=/; Expires=" + DateGenerator.formatCookieDate(0L).trim() + "; SameSite=Lax; Max-Age=0"));
    }

    @Test
    public void testReusingSameAuthCode() throws Exception {
        V1RbacRestApi build = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + this.actualMdsPort, false);
        Response<String> execute = build.getOidcIdpAuthUri(String.format("%s:%d/", "http://localhost", 8098)).execute();
        validateIdpAuthUriResponse(execute, String.format("%s:%d/security/1.0/oidc/authorization-code/callback", "http://localhost", 8098));
        Map multimap = execute.headers().toMultimap();
        String str = (String) ((List) multimap.get("set-cookie")).get(0);
        Map<String, String> extractQueryParams = extractQueryParams(loginAndGetUriWithAuthCode((String) ((List) multimap.get("location")).get(0)).toString());
        Assert.assertTrue(extractQueryParams.containsKey("state"));
        Assert.assertTrue(extractQueryParams.containsKey("code"));
        Assert.assertFalse(extractQueryParams.containsKey("error"));
        Assert.assertFalse(extractQueryParams.containsKey("error_description"));
        Response execute2 = build.handleCallback(str, URLDecoder.decode(extractQueryParams.get("state"), "UTF-8"), extractQueryParams.get("code"), null, null).execute();
        MatcherAssert.assertThat(Integer.valueOf(execute2.code()), Is.is(302));
        Map multimap2 = execute2.headers().toMultimap();
        MatcherAssert.assertThat(Integer.valueOf(((List) multimap2.get("location")).size()), Is.is(1));
        MatcherAssert.assertThat(((List) multimap2.get("location")).get(0), Is.is("http://localhost:8098"));
        List list = (List) multimap2.get("set-cookie");
        MatcherAssert.assertThat(list, Matchers.notNullValue());
        MatcherAssert.assertThat(Integer.valueOf(list.size()), Is.is(2));
        Collections.sort(list);
        MatcherAssert.assertThat(list.get(1), Matchers.matchesPattern("o2state=; HttpOnly; Secure; Path=/; Expires=" + DateGenerator.formatCookieDate(0L).trim() + "; SameSite=Strict; Max-Age=0"));
        MatcherAssert.assertThat(list.get(0), Matchers.matchesPattern("auth_token=.*; HttpOnly; Secure; Path=/; Expires=.*GMT; SameSite=Lax; Max-Age=.*"));
        Response execute3 = build.handleCallback(str, URLDecoder.decode(extractQueryParams.get("state"), "UTF-8"), extractQueryParams.get("code"), null, null).execute();
        MatcherAssert.assertThat(Integer.valueOf(execute3.code()), Is.is(500));
        MatcherAssert.assertThat(execute3.message(), Is.is("Internal Server Error"));
        MatcherAssert.assertThat(execute3.errorBody().string(), Matchers.matchesPattern(".*bad request status from IdP.*invalid_grant.*Code not valid.*"));
        MatcherAssert.assertThat(execute3.body(), Matchers.nullValue());
    }

    @Test
    public void testEmptyAuthCodeInCallback() throws Exception {
        V1RbacRestApi build = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + this.actualMdsPort, false);
        Response<String> execute = build.getOidcIdpAuthUri(String.format("%s:%d/", "http://localhost", 8098)).execute();
        validateIdpAuthUriResponse(execute, String.format("%s:%d/security/1.0/oidc/authorization-code/callback", "http://localhost", 8098));
        Map multimap = execute.headers().toMultimap();
        String str = (String) ((List) multimap.get("set-cookie")).get(0);
        Map<String, String> extractQueryParams = extractQueryParams(loginAndGetUriWithAuthCode((String) ((List) multimap.get("location")).get(0)).toString());
        Assert.assertTrue(extractQueryParams.containsKey("state"));
        Assert.assertTrue(extractQueryParams.containsKey("code"));
        Assert.assertFalse(extractQueryParams.containsKey("error"));
        Assert.assertFalse(extractQueryParams.containsKey("error_description"));
        Response execute2 = build.handleCallback(str, URLDecoder.decode(extractQueryParams.get("state"), "UTF-8"), "", null, null).execute();
        MatcherAssert.assertThat(Integer.valueOf(execute2.code()), Is.is(403));
        MatcherAssert.assertThat(execute2.message(), Is.is("Forbidden"));
        MatcherAssert.assertThat(execute2.errorBody().string(), Is.is("{\"status_code\":403,\"message\":\"authorization code is null or empty\"}"));
        MatcherAssert.assertThat(execute2.body(), Matchers.nullValue());
    }

    @Test
    public void testCallbackErrorParams() throws Exception {
        V1RbacRestApi build = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + this.actualMdsPort, false);
        Response<String> execute = build.getOidcIdpAuthUri(String.format("%s:%d/", "http://localhost", 8098)).execute();
        validateIdpAuthUriResponse(execute, String.format("%s:%d/security/1.0/oidc/authorization-code/callback", "http://localhost", 8098));
        Map multimap = execute.headers().toMultimap();
        String str = (String) ((List) multimap.get("set-cookie")).get(0);
        Map<String, String> extractQueryParams = extractQueryParams(loginAndGetUriWithAuthCode((String) ((List) multimap.get("location")).get(0)).toString());
        Assert.assertTrue(extractQueryParams.containsKey("state"));
        Assert.assertTrue(extractQueryParams.containsKey("code"));
        Assert.assertFalse(extractQueryParams.containsKey("error"));
        Assert.assertFalse(extractQueryParams.containsKey("error_description"));
        Response execute2 = build.handleCallback(str, URLDecoder.decode(extractQueryParams.get("state"), "UTF-8"), extractQueryParams.get("code"), "invalid_grant", "Error happened").execute();
        MatcherAssert.assertThat(Integer.valueOf(execute2.code()), Is.is(500));
        MatcherAssert.assertThat(execute2.message(), Is.is("Internal Server Error"));
        MatcherAssert.assertThat(execute2.errorBody().string(), Is.is("{\"status_code\":500,\"message\":\"invalid_grant\"}"));
        MatcherAssert.assertThat(execute2.body(), Matchers.nullValue());
    }

    @Test
    public void testCsrfInCallback() throws Exception {
        V1RbacRestApi build = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + this.actualMdsPort, false);
        Response<String> execute = build.getOidcIdpAuthUri(String.format("%s:%d/", "http://localhost", 8098)).execute();
        validateIdpAuthUriResponse(execute, String.format("%s:%d/security/1.0/oidc/authorization-code/callback", "http://localhost", 8098));
        Map multimap = execute.headers().toMultimap();
        String str = (String) ((List) multimap.get("set-cookie")).get(0);
        Map<String, String> extractQueryParams = extractQueryParams(loginAndGetUriWithAuthCode((String) ((List) multimap.get("location")).get(0)).toString());
        Assert.assertTrue(extractQueryParams.containsKey("state"));
        Assert.assertTrue(extractQueryParams.containsKey("code"));
        Assert.assertFalse(extractQueryParams.containsKey("error"));
        Assert.assertFalse(extractQueryParams.containsKey("error_description"));
        Response execute2 = build.handleCallback(str, "changed-state", extractQueryParams.get("code"), null, null).execute();
        MatcherAssert.assertThat(Integer.valueOf(execute2.code()), Is.is(403));
        MatcherAssert.assertThat(execute2.message(), Is.is("Forbidden"));
        MatcherAssert.assertThat(execute2.errorBody().string(), Is.is("{\"status_code\":403,\"message\":\"Invalid state parameter\"}"));
        MatcherAssert.assertThat(execute2.body(), Matchers.nullValue());
    }

    @Test
    public void testGroupAuthorization() throws Exception {
        String format = String.format("%s:%d/security/1.0/oidc/authenticate?caller=%s:%d/", MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, Integer.valueOf(this.actualMdsPort), MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, Integer.valueOf(this.actualMdsPort));
        HtmlUnitDriver htmlUnitDriver = new HtmlUnitDriver();
        fillFormAndLogin(htmlUnitDriver, format);
        Cookie cookieNamed = htmlUnitDriver.manage().getCookieNamed("auth_token");
        htmlUnitDriver.quit();
        MatcherAssert.assertThat(cookieNamed, Matchers.notNullValue());
        MatcherAssert.assertThat(Integer.valueOf(cookieNamed.getValue().length()), Matchers.greaterThan(1));
        JwtClaims verifyAuthTokenAndGetClaims = verifyAuthTokenAndGetClaims(cookieNamed.getValue());
        MatcherAssert.assertThat(verifyAuthTokenAndGetClaims.getClaimValue("groups"), Matchers.instanceOf(List.class));
        MatcherAssert.assertThat(verifyAuthTokenAndGetClaims.getStringListClaimValue("groups"), Matchers.containsInAnyOrder(new Matcher[]{Is.is("/g1"), Is.is("/g3/g33")}));
        testGroupAuthorization(cookieNamed.getValue(), verifyAuthTokenAndGetClaims.getSubject(), new HashSet(verifyAuthTokenAndGetClaims.getStringListClaimValue("groups")));
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void testGroupAuthorization(String str, String str2, Set<String> set) throws IOException {
        for (Object[] objArr : new Object[]{new Object[]{AuthorizeResult.DENIED, false, false}, new Object[]{AuthorizeResult.ALLOWED, true, false}, new Object[]{AuthorizeResult.ALLOWED, false, true}, new Object[]{AuthorizeResult.ALLOWED, true, true}}) {
            AuthorizeResult authorizeResult = (AuthorizeResult) objArr[0];
            boolean booleanValue = ((Boolean) objArr[1]).booleanValue();
            boolean booleanValue2 = ((Boolean) objArr[2]).booleanValue();
            List<AuthorizeResult> checkAccess = checkAccess(str2, set, str);
            MatcherAssert.assertThat(checkAccess, Matchers.notNullValue());
            MatcherAssert.assertThat(Integer.valueOf(checkAccess.size()), Is.is(1));
            MatcherAssert.assertThat(checkAccess.get(0), Is.is(AuthorizeResult.DENIED));
            if (booleanValue) {
                grantAccess("User:" + str2);
            }
            if (booleanValue2) {
                grantAccess("Group:/g1");
            }
            List<AuthorizeResult> checkAccess2 = checkAccess(str2, set, str);
            MatcherAssert.assertThat(checkAccess2, Matchers.notNullValue());
            MatcherAssert.assertThat(Integer.valueOf(checkAccess2.size()), Is.is(1));
            MatcherAssert.assertThat(checkAccess2.get(0), Is.is(authorizeResult));
            removeAccess("User:" + str2);
            removeAccess("Group:/g1");
        }
    }

    private Map<String, String> getOidcConfigs() throws Exception {
        JsonNode fetchIdpConfigs = fetchIdpConfigs(URI.create(this.keycloak.getAuthServerUrl() + "/realms/cpsso/.well-known/openid-configuration"));
        HashMap hashMap = new HashMap();
        hashMap.put("confluent.oidc.idp.groups.claim.name", "profile_groups");
        hashMap.put("confluent.oidc.idp.refresh.token.enabled", "false");
        hashMap.put("confluent.oidc.idp.jwks.endpoint.uri", fetchIdpConfigs.get("jwks_uri").asText());
        hashMap.put("confluent.oidc.idp.authorize.base.endpoint.uri", fetchIdpConfigs.get("authorization_endpoint").asText());
        hashMap.put("confluent.oidc.idp.client.id", "ssologin");
        hashMap.put("confluent.oidc.idp.client.secret", "KbLRih1HzjDC267PefuKU7QIoZ8hgHDK");
        hashMap.put("confluent.oidc.idp.token.base.endpoint.uri", fetchIdpConfigs.get("token_endpoint").asText());
        hashMap.put("confluent.oidc.idp.issuer", fetchIdpConfigs.get("issuer").asText());
        return hashMap;
    }

    private JsonNode fetchIdpConfigs(URI uri) throws Exception {
        return (JsonNode) this.httpClient.target(uri).request().rx().get().thenApply(response -> {
            if (response == null) {
                throw new RuntimeException("response from keycloak is null. Validate realm configs.");
            }
            if (Response.Status.OK.getStatusCode() != response.getStatus()) {
                throw new RuntimeException("Failed to fetch configuration from keycloak with status:" + response.getStatus());
            }
            return (JsonNode) response.readEntity(JsonNode.class);
        }).exceptionally(th -> {
            throw new TokenResponseException("Failed to retrieve keycloak configs", th);
        }).toCompletableFuture().get();
    }

    private void validateIdpAuthUriResponse(retrofit2.Response<String> response, String str) throws Exception {
        Map multimap = response.headers().toMultimap();
        MatcherAssert.assertThat(Integer.valueOf(response.code()), Is.is(302));
        MatcherAssert.assertThat(Integer.valueOf(((List) multimap.get("set-cookie")).size()), Is.is(1));
        MatcherAssert.assertThat(((List) multimap.get("set-cookie")).get(0), Matchers.matchesPattern("o2state=.*; HttpOnly; Secure; Path=/; Expires=.*GMT; SameSite=Lax; Max-Age=600"));
        MatcherAssert.assertThat(Integer.valueOf(((List) multimap.get("location")).size()), Is.is(1));
        MatcherAssert.assertThat(Boolean.valueOf(isValidIdpAuthUri((String) ((List) multimap.get("location")).get(0), str)), Is.is(true));
    }

    private boolean isValidIdpAuthUri(String str, String str2) throws Exception {
        Map<String, String> oidcConfigs = getOidcConfigs();
        String encode = URLEncoder.encode(str2, "UTF-8");
        if (!str.startsWith(oidcConfigs.get("confluent.oidc.idp.authorize.base.endpoint.uri"))) {
            System.out.println("idpAuthUri: " + str + " not starts with: " + oidcConfigs.get("confluent.oidc.idp.authorize.base.endpoint.uri"));
            return false;
        }
        Map<String, String> extractQueryParams = extractQueryParams(str);
        if (!"code".equals(extractQueryParams.get("response_type"))) {
            System.out.println("response_type is: " + extractQueryParams.get("response_type") + ". Expected: code");
            return false;
        }
        if (!oidcConfigs.get("confluent.oidc.idp.client.id").equals(extractQueryParams.get("client_id"))) {
            System.out.println("client_id is: " + extractQueryParams.get("client_id") + ". Expected: " + oidcConfigs.get("confluent.oidc.idp.client.id"));
            return false;
        }
        if (!"openid".equals(extractQueryParams.get("scope"))) {
            System.out.println("scope is: " + extractQueryParams.get("scope") + ". Expected: openid+offline_access");
            return false;
        }
        if (encode.equals(extractQueryParams.get("redirect_uri"))) {
            String str3 = extractQueryParams.get("state");
            return str3 != null && str3.matches(new StringBuilder().append("[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}").append(encode).toString());
        }
        System.out.println("redirect_uri is: " + extractQueryParams.get("redirect_uri") + ". Expected: " + encode);
        return false;
    }

    private Map<String, String> extractQueryParams(String str) {
        HashMap hashMap = new HashMap();
        int indexOf = str.indexOf(63);
        if (indexOf == -1) {
            return hashMap;
        }
        for (String str2 : str.substring(indexOf + 1).split("&")) {
            String[] split = str2.split("=");
            if (split.length == 2) {
                hashMap.put(split[0], split[1]);
            }
        }
        return hashMap;
    }

    private void fillFormAndLogin(WebDriver webDriver, String str) {
        try {
            webDriver.get(str);
            new WebDriverWait(webDriver, Duration.ofMinutes(1L)).until(ExpectedConditions.presenceOfElementLocated(By.id("username")));
            webDriver.findElement(By.id("username")).sendKeys(new CharSequence[]{"testuser1"});
            webDriver.findElement(By.id("password")).sendKeys(new CharSequence[]{"testuser1"});
            webDriver.findElement(By.id("kc-login")).click();
            Thread.sleep(1000L);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    private JwtClaims verifyAuthTokenAndGetClaims(String str) throws Exception {
        return new JwtConsumerBuilder().setRequireJwtId().setExpectedIssuer(true, "Confluent").setSkipDefaultAudienceValidation().setRequireSubject().setRequireExpirationTime().setAllowedClockSkewInSeconds(30).setVerificationKey(loadPublicKeyFromFile(this.rbacConfig.publicKey)).build().processToClaims(str);
    }

    private PublicKey loadPublicKeyFromFile(String str) throws Exception {
        return KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(((SubjectPublicKeyInfo) new PEMParser(new FileReader(str)).readObject()).getEncoded()));
    }

    private String getAuthTokenFromCookies(List<String> list) {
        String str = null;
        Iterator<String> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            String next = it.next();
            if (next.startsWith("auth_token")) {
                str = next.substring("auth_token=".length());
                break;
            }
        }
        MatcherAssert.assertThat(str, Matchers.notNullValue());
        return str.split(";")[0];
    }

    private URI loginAndGetUriWithAuthCode(String str) throws InterruptedException {
        WireMockServer wireMockServer = new WireMockServer(8098);
        wireMockServer.start();
        wireMockServer.stubFor(WireMock.get(WireMock.anyUrl()).willReturn(WireMock.aResponse().withStatus(200).withBody("captured!")));
        HtmlUnitDriver htmlUnitDriver = new HtmlUnitDriver();
        htmlUnitDriver.get(str);
        WebDriverWait webDriverWait = new WebDriverWait(htmlUnitDriver, Duration.ofMinutes(1L));
        webDriverWait.until(ExpectedConditions.presenceOfElementLocated(By.id("username")));
        htmlUnitDriver.findElement(By.id("username")).sendKeys(new CharSequence[]{"testuser1"});
        htmlUnitDriver.findElement(By.id("password")).sendKeys(new CharSequence[]{"testuser1"});
        htmlUnitDriver.findElement(By.id("kc-login")).click();
        webDriverWait.until(ExpectedConditions.urlContains("localhost:8098"));
        URI create = URI.create(htmlUnitDriver.getCurrentUrl());
        Thread.sleep(1000L);
        htmlUnitDriver.quit();
        wireMockServer.stop();
        return create;
    }

    public List<AuthorizeResult> checkAccess(String str, Set<String> set, String str2) throws IOException {
        return (List) V1RbacRetrofitFactory.buildWithToken(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, str2).authorize(new AuthorizeRequest("User:" + str, set, "", Collections.singletonList(new Action(this.mdsKafkaCluster, new ResourceType("Topic"), "test", new Operation("Write"))))).execute().body();
    }

    private void removeAccess(String str) throws IOException {
        Assert.assertTrue(V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, "mds").removeRoleForPrincipal(str, "SystemAdmin", new MdsScope(this.mdsKafkaCluster)).execute().isSuccessful());
    }

    private void grantAccess(String str) throws IOException {
        Assert.assertTrue(V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST, this.actualMdsPort, "mds").addClusterRoleForPrincipal(str, "SystemAdmin", new MdsScope(this.mdsKafkaCluster)).execute().isSuccessful());
    }
}
