package integration.sso.oidc;

import com.fasterxml.jackson.databind.JsonNode;
import dasniko.testcontainers.keycloak.KeycloakContainer;
import io.confluent.oidc.entities.CheckDeviceAuthRequest;
import io.confluent.oidc.entities.CheckDeviceAuthResponse;
import io.confluent.oidc.entities.ExtendAuthResponse;
import io.confluent.oidc.entities.InitDeviceAuthResponse;
import io.confluent.oidc.exceptions.TokenResponseException;
import io.confluent.rbacapi.retrofit.v1.V1RbacRestApi;
import io.confluent.rbacapi.retrofit.v1.V1RbacRetrofitFactory;
import io.confluent.security.authentication.http.HttpClient;
import io.confluent.security.test.utils.RbacClusters;
import io.confluent.tokenapi.entities.RefreshTokenRequest;
import java.io.FileReader;
import java.net.URI;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.spec.X509EncodedKeySpec;
import java.time.Duration;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import javax.ws.rs.core.Response;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.openssl.PEMParser;
import org.hamcrest.Matcher;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.hamcrest.core.Is;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.junit.Assert;
import org.junit.jupiter.api.Assertions;
import org.openqa.selenium.By;
import org.openqa.selenium.WebDriver;
import org.openqa.selenium.htmlunit.HtmlUnitDriver;
import org.openqa.selenium.support.ui.ExpectedConditions;
import org.openqa.selenium.support.ui.WebDriverWait;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;
import retrofit2.Response;
import utils.KafkaConfigTool;
import utils.MdsTestUtil;

@Test(groups = {"classParallelTests"})
/* loaded from: input_file:integration/sso/oidc/V1OidcDeviceAuthApiTest.class */
public class V1OidcDeviceAuthApiTest {
    private KeycloakContainer keycloak;
    private RbacClusters.Config rbacConfig;
    private RbacClusters rbacClusters;
    private int actualMdsPort;
    private HttpClient httpClient;
    static final /* synthetic */ boolean $assertionsDisabled;

    @BeforeClass
    public void setUp() throws Throwable {
        this.httpClient = HttpClient.builder().build();
        String property = System.getProperty("os.arch");
        String property2 = System.getProperty("os.name");
        System.out.println("Detected arch : " + property);
        System.out.println("Detected osName : " + property2);
        if ((property == null || !property.startsWith("arm64")) && (property == null || property2 == null || !property.startsWith("x86_64") || !property2.contains("Mac"))) {
            System.out.println("Initializing keycloak for x86/amd64 architecture");
            this.keycloak = new KeycloakContainer("quay.io/keycloak/keycloak:17.0.0-legacy").withRealmImportFile("sso/keycloak-cp-sso-realm.json");
        } else {
            System.out.println("Initializing keycloak for ARM architecture");
            this.keycloak = new KeycloakContainer("mihaibob/keycloak:17.0.0-legacy").withRealmImportFile("sso/keycloak-cp-sso-realm.json");
        }
        System.out.println("Starting Keycloak server. This may take few seconds.");
        this.keycloak.withStartupTimeout(Duration.ofMinutes(10L));
        this.keycloak.start();
        System.out.println("Keycloak server started at: " + this.keycloak.getAuthServerUrl());
        this.rbacConfig = KafkaConfigTool.hashWithTokensAndOidc("mds", Arrays.asList("mds", "mds"), getOidcConfigs());
        this.rbacClusters = new RbacClusters(this.rbacConfig);
        this.actualMdsPort = MdsTestUtil.lookupActualMdsPort(this.rbacClusters);
    }

    @AfterClass
    public void tearDown() {
        this.rbacClusters.shutdown();
        MdsTestUtil.releasePort(this.actualMdsPort);
        this.keycloak.stop();
    }

    @Test
    public void testCreateDeviceAuthInfo() throws Exception {
        validateInitDeviceAuthResponse(V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + this.actualMdsPort, false).createDeviceAuthInfo().execute());
    }

    @Test
    public void testAuthenticateFlow() throws Exception {
        V1RbacRestApi build = V1RbacRetrofitFactory.build(MdsTestUtil.DEFAULT_HTTP_ADVERTISED_HOST + ":" + this.actualMdsPort, false);
        Response execute = build.createDeviceAuthInfo().execute();
        MatcherAssert.assertThat(execute.body(), Matchers.notNullValue());
        String verificationUri = ((InitDeviceAuthResponse) execute.body()).verificationUri();
        CheckDeviceAuthRequest checkDeviceAuthRequest = new CheckDeviceAuthRequest(((InitDeviceAuthResponse) execute.body()).userCode(), ((InitDeviceAuthResponse) execute.body()).key());
        validatePendingAuthResponse((CheckDeviceAuthResponse) build.checkAuth(checkDeviceAuthRequest).execute().body(), ((InitDeviceAuthResponse) execute.body()).userCode());
        HtmlUnitDriver htmlUnitDriver = new HtmlUnitDriver();
        fillFormAndLogin(htmlUnitDriver, verificationUri);
        htmlUnitDriver.quit();
        Response execute2 = build.checkAuth(checkDeviceAuthRequest).execute();
        validateCompletedAuthResponse((CheckDeviceAuthResponse) execute2.body(), ((InitDeviceAuthResponse) execute.body()).userCode());
        String authToken = ((CheckDeviceAuthResponse) execute2.body()).authToken();
        String refreshToken = ((CheckDeviceAuthResponse) execute2.body()).refreshToken();
        JwtClaims verifyAuthTokenAndGetClaims = verifyAuthTokenAndGetClaims(authToken);
        MatcherAssert.assertThat(verifyAuthTokenAndGetClaims.getClaimValue("groups"), Matchers.instanceOf(List.class));
        MatcherAssert.assertThat((List) verifyAuthTokenAndGetClaims.getClaimValue("groups"), Matchers.containsInAnyOrder(new Matcher[]{Is.is("/g1"), Is.is("/g3/g33")}));
        Response execute3 = build.checkAuth(checkDeviceAuthRequest).execute();
        validateErrorAuthResponse((CheckDeviceAuthResponse) execute3.body(), ((InitDeviceAuthResponse) execute.body()).userCode());
        if (!$assertionsDisabled && execute3.body() == null) {
            throw new AssertionError();
        }
        Response execute4 = build.extendAuth(new RefreshTokenRequest(authToken, refreshToken)).execute();
        MatcherAssert.assertThat(execute4.body(), Matchers.notNullValue());
        JwtClaims verifyAuthTokenAndGetClaims2 = verifyAuthTokenAndGetClaims(((ExtendAuthResponse) execute4.body()).authToken());
        MatcherAssert.assertThat(verifyAuthTokenAndGetClaims2.getClaimValue("groups"), Matchers.instanceOf(List.class));
        MatcherAssert.assertThat((List) verifyAuthTokenAndGetClaims2.getClaimValue("groups"), Matchers.containsInAnyOrder(new Matcher[]{Is.is("/g1"), Is.is("/g3/g33")}));
        Thread.sleep(1000L);
        Response execute5 = build.extendAuth(new RefreshTokenRequest(authToken, (String) null)).execute();
        MatcherAssert.assertThat(execute5.body(), Matchers.notNullValue());
        String authToken2 = ((ExtendAuthResponse) execute5.body()).authToken();
        JwtClaims verifyAuthTokenAndGetClaims3 = verifyAuthTokenAndGetClaims(authToken2);
        Assert.assertNotEquals(authToken, authToken2);
        MatcherAssert.assertThat(verifyAuthTokenAndGetClaims3.getClaimValue("groups"), Matchers.instanceOf(List.class));
        MatcherAssert.assertThat((List) verifyAuthTokenAndGetClaims3.getClaimValue("groups"), Matchers.containsInAnyOrder(new Matcher[]{Is.is("/g1"), Is.is("/g3/g33")}));
    }

    private Map<String, String> getOidcConfigs() throws Exception {
        JsonNode fetchIdpConfigs = fetchIdpConfigs(URI.create(this.keycloak.getAuthServerUrl() + "/realms/cpsso/.well-known/openid-configuration"));
        HashMap hashMap = new HashMap();
        hashMap.put("confluent.oidc.idp.groups.claim.name", "profile_groups");
        hashMap.put("confluent.oidc.idp.refresh.token.enabled", "false");
        hashMap.put("confluent.oidc.idp.jwks.endpoint.uri", fetchIdpConfigs.get("jwks_uri").asText());
        hashMap.put("confluent.oidc.idp.authorize.base.endpoint.uri", fetchIdpConfigs.get("authorization_endpoint").asText());
        hashMap.put("confluent.oidc.idp.device.authorization.endpoint.uri", fetchIdpConfigs.get("device_authorization_endpoint").asText());
        hashMap.put("confluent.oidc.idp.client.id", "ssologin");
        hashMap.put("confluent.oidc.idp.client.secret", "KbLRih1HzjDC267PefuKU7QIoZ8hgHDK");
        hashMap.put("confluent.oidc.idp.token.base.endpoint.uri", fetchIdpConfigs.get("token_endpoint").asText());
        hashMap.put("confluent.oidc.idp.issuer", fetchIdpConfigs.get("issuer").asText());
        return hashMap;
    }

    private JsonNode fetchIdpConfigs(URI uri) throws Exception {
        return (JsonNode) this.httpClient.target(uri).request().rx().get().thenApply(response -> {
            if (response == null) {
                throw new RuntimeException("response from keycloak is null. Validate realm configs.");
            }
            if (Response.Status.OK.getStatusCode() != response.getStatus()) {
                throw new RuntimeException("Failed to fetch configuration from keycloak with status:" + response.getStatus());
            }
            return (JsonNode) response.readEntity(JsonNode.class);
        }).exceptionally(th -> {
            throw new TokenResponseException("Failed to retrieve keycloak configs", th);
        }).toCompletableFuture().get();
    }

    private void validateInitDeviceAuthResponse(retrofit2.Response<InitDeviceAuthResponse> response) {
        InitDeviceAuthResponse initDeviceAuthResponse = (InitDeviceAuthResponse) response.body();
        MatcherAssert.assertThat(initDeviceAuthResponse, Matchers.notNullValue());
        MatcherAssert.assertThat(initDeviceAuthResponse.userCode(), Matchers.notNullValue());
        MatcherAssert.assertThat(Integer.valueOf(initDeviceAuthResponse.userCode().length()), Matchers.greaterThan(1));
        MatcherAssert.assertThat(initDeviceAuthResponse.key(), Matchers.notNullValue());
        MatcherAssert.assertThat(Integer.valueOf(initDeviceAuthResponse.key().length()), Matchers.greaterThan(1));
        MatcherAssert.assertThat(initDeviceAuthResponse.verificationUri(), Matchers.notNullValue());
        MatcherAssert.assertThat(Integer.valueOf(initDeviceAuthResponse.verificationUri().length()), Matchers.greaterThan(1));
        MatcherAssert.assertThat(initDeviceAuthResponse.verificationUri(), Matchers.matchesPattern("http.*"));
        MatcherAssert.assertThat(initDeviceAuthResponse.verificationUri(), Matchers.matchesPattern(".*" + initDeviceAuthResponse.userCode()));
        MatcherAssert.assertThat(initDeviceAuthResponse.interval(), Matchers.greaterThanOrEqualTo(5));
    }

    private void validatePendingAuthResponse(CheckDeviceAuthResponse checkDeviceAuthResponse, String str) {
        Assertions.assertNotNull(checkDeviceAuthResponse);
        Assertions.assertNull(checkDeviceAuthResponse.error());
        Assertions.assertNull(checkDeviceAuthResponse.authToken());
        Assertions.assertNull(checkDeviceAuthResponse.expiresIn());
        Assertions.assertFalse(checkDeviceAuthResponse.complete().booleanValue());
        Assertions.assertEquals(str, checkDeviceAuthResponse.userCode());
        Assertions.assertEquals("authorization_pending", checkDeviceAuthResponse.status());
        Assertions.assertEquals("The authorization request is still pending", checkDeviceAuthResponse.description());
    }

    private void validateCompletedAuthResponse(CheckDeviceAuthResponse checkDeviceAuthResponse, String str) {
        Assertions.assertNotNull(checkDeviceAuthResponse);
        Assertions.assertNull(checkDeviceAuthResponse.error());
        Assertions.assertNotNull(checkDeviceAuthResponse.authToken());
        Assertions.assertNotNull(checkDeviceAuthResponse.refreshToken());
        Assertions.assertNotNull(checkDeviceAuthResponse.expiresIn());
        Assert.assertTrue(checkDeviceAuthResponse.complete().booleanValue());
        Assertions.assertEquals(str, checkDeviceAuthResponse.userCode());
        Assertions.assertEquals("success", checkDeviceAuthResponse.status());
        Assertions.assertEquals("Authentication successful.", checkDeviceAuthResponse.description());
    }

    private void validateErrorAuthResponse(CheckDeviceAuthResponse checkDeviceAuthResponse, String str) {
        Assertions.assertNotNull(checkDeviceAuthResponse);
        Assertions.assertNull(checkDeviceAuthResponse.authToken());
        Assertions.assertNull(checkDeviceAuthResponse.expiresIn());
        Assertions.assertNull(checkDeviceAuthResponse.status());
        Assert.assertTrue(checkDeviceAuthResponse.complete().booleanValue());
        Assertions.assertEquals(str, checkDeviceAuthResponse.userCode());
        Assertions.assertEquals("invalid_grant", checkDeviceAuthResponse.error());
        Assertions.assertEquals("Device code not valid", checkDeviceAuthResponse.description());
    }

    private void fillFormAndLogin(WebDriver webDriver, String str) {
        try {
            webDriver.get(str);
            WebDriverWait webDriverWait = new WebDriverWait(webDriver, Duration.ofMinutes(1L));
            webDriverWait.until(ExpectedConditions.presenceOfElementLocated(By.id("username")));
            webDriver.findElement(By.id("username")).sendKeys(new CharSequence[]{"testuser1"});
            webDriver.findElement(By.id("password")).sendKeys(new CharSequence[]{"testuser1"});
            webDriver.findElement(By.id("kc-login")).click();
            Thread.sleep(2000L);
            webDriverWait.until(ExpectedConditions.presenceOfElementLocated(By.id("kc-login")));
            webDriver.findElement(By.id("kc-login")).click();
            Thread.sleep(2000L);
            webDriverWait.until(ExpectedConditions.textMatches(By.id("kc-page-title"), Pattern.compile(".*Device Login Successful.*")));
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    private JwtClaims verifyAuthTokenAndGetClaims(String str) throws Exception {
        return new JwtConsumerBuilder().setRequireJwtId().setExpectedIssuer(true, "Confluent").setSkipDefaultAudienceValidation().setRequireSubject().setRequireExpirationTime().setAllowedClockSkewInSeconds(30).setVerificationKey(loadPublicKeyFromFile(this.rbacConfig.publicKey)).build().processToClaims(str);
    }

    private PublicKey loadPublicKeyFromFile(String str) throws Exception {
        return KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(((SubjectPublicKeyInfo) new PEMParser(new FileReader(str)).readObject()).getEncoded()));
    }

    static {
        $assertionsDisabled = !V1OidcDeviceAuthApiTest.class.desiredAssertionStatus();
    }
}
