package io.confluent.security.authentication.oauthbearer;

import com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider;
import io.confluent.security.authentication.AuthenticationException;
import io.confluent.security.authentication.Authenticator;
import io.confluent.security.authentication.credential.BearerCredential;
import io.confluent.security.authentication.credential.HttpBasicCredential;
import io.confluent.security.authentication.credential.HttpBearerCredential;
import io.confluent.security.authentication.credential.HttpCredential;
import io.confluent.security.authentication.http.ConfluentSecurityContext;
import io.confluent.security.authentication.http.HttpAuthenticatorJwt;
import io.confluent.security.authentication.http.HttpClient;
import io.confluent.security.authentication.utils.JacksonSerde;
import io.confluent.security.fixtures.OpenId.ClientRegistration;
import io.confluent.security.fixtures.OpenIdProvider;
import io.confluent.security.fixtures.http.JerseyHttpService;
import io.confluent.security.fixtures.http.JsonSecurityContext;
import io.confluent.security.trustservice.entities.v1.AssumePrincipalData;
import io.confluent.security.trustservice.entities.v1.AssumePrincipalResponse;
import java.io.IOException;
import java.util.Collections;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test;

@Disabled("Disabled until find a better way to do docker test!")
/* loaded from: input_file:io/confluent/security/authentication/oauthbearer/TrustServiceBearerServerAuthFilterTest.class */
public class TrustServiceBearerServerAuthFilterTest {
    private static JerseyHttpService httpService;
    private static Authenticator<BearerCredential, JwtPrincipal> thirdPartyAuthenticator;
    private static String thirdPartyBearerToken;
    private static OpenIdProvider mdsOpenIdProvider;
    private static ClientRegistration mdsClientRegistration;
    private static JerseyHttpService mdsService;
    private static TrustServiceClient trustServiceClient;
    private static long tokenExpiry = 3600;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/security/authentication/oauthbearer/TrustServiceBearerServerAuthFilterTest$DummyHttpServerAuthFilter.class */
    public static class DummyHttpServerAuthFilter implements ContainerRequestFilter {
        private DummyHttpServerAuthFilter() {
        }

        public void filter(ContainerRequestContext containerRequestContext) throws IOException {
            HttpCredential read = HttpCredential.read((String) containerRequestContext.getHeaders().getFirst("Authorization"));
            if (!(read instanceof HttpBearerCredential)) {
                containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
                return;
            }
            try {
                containerRequestContext.setSecurityContext(new ConfluentSecurityContext(read.scheme(), TrustServiceBearerServerAuthFilterTest.thirdPartyAuthenticator.authenticate(new BearerCredential(read.authParams())), true));
            } catch (AuthenticationException e) {
                containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
            }
        }
    }

    @Path("/")
    /* loaded from: input_file:io/confluent/security/authentication/oauthbearer/TrustServiceBearerServerAuthFilterTest$HttpTestMds.class */
    public static class HttpTestMds {
        @POST
        @Produces({"application/json"})
        @Path("mds")
        public AssumePrincipalResponse tokenExchange(@Context SecurityContext securityContext) {
            return AssumePrincipalResponse.create(AssumePrincipalData.builder().token(TrustServiceBearerServerAuthFilterTest.mdsOpenIdProvider.clientCredentialsGrant(TrustServiceBearerServerAuthFilterTest.mdsClientRegistration)).expiresIn(TrustServiceBearerServerAuthFilterTest.tokenExpiry).build());
        }
    }

    @Path("/")
    /* loaded from: input_file:io/confluent/security/authentication/oauthbearer/TrustServiceBearerServerAuthFilterTest$HttpTestServer.class */
    public static class HttpTestServer {
        @GET
        @Produces({"application/json"})
        @Path("server")
        public JsonSecurityContext getPrincipal(@Context SecurityContext securityContext) {
            return new JsonSecurityContext(securityContext);
        }
    }

    @BeforeAll
    public static void setUp() throws Exception {
        mdsOpenIdProvider = new OpenIdProvider();
        mdsOpenIdProvider.start();
        ProviderMetadata providerMetadata = mdsOpenIdProvider.providerMetadata();
        mdsClientRegistration = mdsOpenIdProvider.registerClient();
        OpenIdProvider openIdProvider = new OpenIdProvider();
        openIdProvider.start();
        ProviderMetadata providerMetadata2 = openIdProvider.providerMetadata();
        ClientRegistration registerClient = openIdProvider.registerClient();
        Authenticator createAuthenticator = JwtAuthenticationConfig.builder().issuers(Collections.singletonList(JwtIssuerJwks.builder().name(providerMetadata.issuer()).jwksUri(providerMetadata.jwksEndpoint().toString()).build())).build().createAuthenticator();
        thirdPartyAuthenticator = JwtAuthenticationConfig.builder().issuers(Collections.singletonList(JwtIssuerJwks.builder().name(providerMetadata2.issuer()).jwksUri(providerMetadata2.jwksEndpoint().toString()).build())).build().createAuthenticator();
        thirdPartyBearerToken = openIdProvider.clientCredentialsGrant(registerClient);
        HttpAuthenticatorJwt httpAuthenticatorJwt = new HttpAuthenticatorJwt(createAuthenticator);
        HttpClient build = HttpClient.builder().build();
        mdsService = new JerseyHttpService(resourceConfig -> {
            resourceConfig.register(HttpTestMds.class);
            resourceConfig.register(new DummyHttpServerAuthFilter());
            resourceConfig.register(new JacksonJaxbJsonProvider(JacksonSerde.jsonMapper(), JacksonJaxbJsonProvider.DEFAULT_ANNOTATIONS));
        });
        mdsService.start();
        trustServiceClient = TrustServiceClient.builder().client(build).authenticateEndpoint(mdsService.getURI().resolve("/mds")).build();
        httpService = new JerseyHttpService(resourceConfig2 -> {
            resourceConfig2.register(HttpTestServer.class);
            resourceConfig2.register(new TrustServiceBearerServerAuthFilter(trustServiceClient, httpAuthenticatorJwt));
            resourceConfig2.register(new JacksonJaxbJsonProvider(JacksonSerde.jsonMapper(), JacksonJaxbJsonProvider.DEFAULT_ANNOTATIONS));
        });
        httpService.start();
    }

    @AfterAll
    public static void tearDown() throws Exception {
        mdsOpenIdProvider.close();
        httpService.stop();
        mdsService.stop();
    }

    @Test
    public void testFilterForwardsTokenSuccessfully() {
        JsonSecurityContext jsonSecurityContext = (JsonSecurityContext) HttpClient.builder().build().target(httpService.getURI().resolve("/server"), new HttpBearerCredential(thirdPartyBearerToken)).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).header("Confluent-Pool-Id", "pool_id").get().readEntity(JsonSecurityContext.class);
        Assertions.assertNotNull(jsonSecurityContext);
        Assertions.assertEquals(HttpCredential.Scheme.BEARER.toString(), jsonSecurityContext.scheme());
        Assertions.assertEquals(mdsClientRegistration.clientId(), jsonSecurityContext.principal());
    }

    @Test
    public void testFilterForwardsTokenWithoutPoolIdSuccessfully() {
        JsonSecurityContext jsonSecurityContext = (JsonSecurityContext) HttpClient.builder().build().target(httpService.getURI().resolve("/server"), new HttpBearerCredential(thirdPartyBearerToken)).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).get().readEntity(JsonSecurityContext.class);
        Assertions.assertNotNull(jsonSecurityContext);
        Assertions.assertEquals(HttpCredential.Scheme.BEARER.toString(), jsonSecurityContext.scheme());
        Assertions.assertEquals(mdsClientRegistration.clientId(), jsonSecurityContext.principal());
    }

    @Test
    public void testFilterForwardsFailsWithNoCredential() {
        Assertions.assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), HttpClient.builder().build().target(httpService.getURI().resolve("/server")).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).get().getStatus());
    }

    @Test
    public void testFilterForwardsFailsWithExpiredToken() {
        tokenExpiry = 0L;
        Response response = HttpClient.builder().build().target(httpService.getURI().resolve("/server"), new HttpBearerCredential(thirdPartyBearerToken)).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).get();
        tokenExpiry = 3600L;
        Assertions.assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
    }

    @Test
    public void testFilterForwardsFailsWithWrongAuthType() {
        tokenExpiry = 0L;
        Response response = HttpClient.builder().build().target(httpService.getURI().resolve("/server"), new HttpBasicCredential("username", "password")).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).get();
        tokenExpiry = 3600L;
        Assertions.assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
    }
}
