package io.confluent.security.authentication.http;

import com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider;
import io.confluent.security.authentication.credential.HttpBasicCredential;
import io.confluent.security.authentication.credential.HttpBearerCredential;
import io.confluent.security.authentication.credential.HttpCredential;
import io.confluent.security.authentication.oauthbearer.JwtAuthenticationConfig;
import io.confluent.security.authentication.oauthbearer.JwtIssuerJwks;
import io.confluent.security.authentication.oauthbearer.ProviderMetadata;
import io.confluent.security.authentication.utils.JacksonSerde;
import io.confluent.security.fixtures.OpenId.ClientRegistration;
import io.confluent.security.fixtures.OpenIdProvider;
import io.confluent.security.fixtures.http.JerseyHttpService;
import io.confluent.security.fixtures.http.JsonSecurityContext;
import java.util.Collections;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test;

@Disabled("Disabled until TestContainers initialization issues on jenkins can be solved")
/* loaded from: input_file:io/confluent/security/authentication/http/HttpJwtIntegrationTest.class */
public class HttpJwtIntegrationTest {
    private static OpenIdProvider openIdProvider1;
    private static ClientRegistration clientMetadata1;
    private static OpenIdProvider openIdProvider2;
    private static ClientRegistration clientMetadata2;
    private static JerseyHttpService httpProvider;

    @Path("/")
    /* loaded from: input_file:io/confluent/security/authentication/http/HttpJwtIntegrationTest$HttpTestApplication.class */
    public static class HttpTestApplication {
        @GET
        @Produces({"application/json"})
        @Path("test")
        public JsonSecurityContext testJwtAuthentication(@Context SecurityContext securityContext) {
            return new JsonSecurityContext(securityContext);
        }

        @GET
        @Produces({"application/json"})
        @Path("anonAccess")
        public JsonSecurityContext testAnonymousAccess(@Context SecurityContext securityContext) {
            return new JsonSecurityContext(securityContext);
        }
    }

    @BeforeAll
    static void setup() throws Exception {
        openIdProvider1 = new OpenIdProvider();
        openIdProvider1.start();
        ProviderMetadata providerMetadata = openIdProvider1.providerMetadata();
        clientMetadata1 = openIdProvider1.registerClient();
        openIdProvider2 = new OpenIdProvider();
        openIdProvider2.start();
        clientMetadata2 = openIdProvider2.registerClient();
        HttpAuthenticatorJwt httpAuthenticatorJwt = new HttpAuthenticatorJwt(JwtAuthenticationConfig.builder().issuers(Collections.singletonList(JwtIssuerJwks.builder().name(providerMetadata.issuer()).jwksUri(providerMetadata.jwksEndpoint().toString()).build())).build().createAuthenticator());
        httpProvider = new JerseyHttpService(resourceConfig -> {
            resourceConfig.register(HttpTestApplication.class);
            resourceConfig.register(new HttpServerAuthFilter(httpAuthenticatorJwt, () -> {
                return Collections.singletonList("anonAccess");
            }));
            resourceConfig.register(new JacksonJaxbJsonProvider(JacksonSerde.jsonMapper(), JacksonJaxbJsonProvider.DEFAULT_ANNOTATIONS));
        });
        httpProvider.start();
    }

    @AfterAll
    static void tearDown() throws Exception {
        openIdProvider1.close();
        openIdProvider2.close();
        httpProvider.stop();
    }

    @Test
    public void httpJwtAuthenticationSuccess() {
        JsonSecurityContext jsonSecurityContext = (JsonSecurityContext) HttpClient.builder().authentication(new HttpBearerCredential(openIdProvider1.clientCredentialsGrant(clientMetadata1))).build().target(httpProvider.getURI().resolve("/test")).request().get(JsonSecurityContext.class);
        Assertions.assertNotNull(jsonSecurityContext);
        Assertions.assertEquals(jsonSecurityContext.scheme(), HttpCredential.Scheme.BEARER.toString());
        Assertions.assertEquals(jsonSecurityContext.principal(), clientMetadata1.clientId());
    }

    @Test
    public void httpJwtAuthenticationMissingSignature() {
        String clientCredentialsGrant = openIdProvider1.clientCredentialsGrant(clientMetadata1);
        Assertions.assertEquals(401, HttpClient.builder().authentication(new HttpBearerCredential(clientCredentialsGrant.substring(clientCredentialsGrant.indexOf(".")))).build().target(httpProvider.getURI().resolve("/test")).request().get().getStatus());
    }

    @Test
    public void httpJwtAuthenticationUnrecognizedIssuer() {
        Assertions.assertEquals(401, HttpClient.builder().authentication(new HttpBearerCredential(openIdProvider2.clientCredentialsGrant(clientMetadata2))).build().target(httpProvider.getURI().resolve("/test")).request().get().getStatus());
    }

    @Test
    public void httpJwtAuthenticationUnrecognizedIssuerPathNotFound() {
        Assertions.assertEquals(401, HttpClient.builder().authentication(new HttpBearerCredential(openIdProvider2.clientCredentialsGrant(clientMetadata2))).build().target(httpProvider.getURI().resolve("/notFound")).request().get().getStatus());
    }

    @Test
    public void httpJwtAuthenticationIncompatibleScheme() {
        Response response = HttpClient.builder().authentication(new HttpBasicCredential("user", "pwd")).build().target(httpProvider.getURI().resolve("/test")).request().get();
        Assertions.assertEquals(401, response.getStatus());
        Assertions.assertEquals(HttpCredential.Scheme.BEARER.toString(), response.getHeaderString("WWW-Authenticate"));
    }

    @Test
    public void httpJwtAuthenticationAnonymous() {
        Assertions.assertEquals(401, HttpClient.builder().build().target(httpProvider.getURI().resolve("/test")).request().get().getStatus());
    }

    @Test
    public void httpJwtAuthenticationAnonymousWhitelist() {
        Assertions.assertEquals(200, HttpClient.builder().build().target(httpProvider.getURI().resolve("/anonAccess")).request().get().getStatus());
    }
}
