package io.confluent.security.authentication.oauthbearer;

import io.confluent.security.authentication.oauthbearer.JwksTestFixture;
import java.util.ArrayList;
import java.util.Collections;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;
import org.jose4j.lang.UnresolvableKeyException;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JwtIssuerJwksVerificationKeyResolverTest.class */
public class JwtIssuerJwksVerificationKeyResolverTest {
    private ConstrainedVerificationKeyResolver keyResolver;
    private String jwksUri;

    @BeforeEach
    public void setUp() {
        JwtAuthenticationConfig staticConfig = JwksTestFixture.getStaticConfig();
        AlgorithmWhitelist algorithmWhitelist = new AlgorithmWhitelist(staticConfig.algorithmWhitelist());
        JwtIssuerJwks jwtIssuerJwks = (JwtIssuerJwks) staticConfig.issuers().get(0);
        this.jwksUri = jwtIssuerJwks.jwksUri();
        HttpsJwks httpsJwks = new HttpsJwks(jwtIssuerJwks.jwksUri());
        httpsJwks.setSimpleHttpGet(new JwksTestFixture.StaticGet());
        HttpsJwksVerificationKeyResolver httpsJwksVerificationKeyResolver = new HttpsJwksVerificationKeyResolver(httpsJwks);
        httpsJwksVerificationKeyResolver.setDisambiguateWithVerifySignature(true);
        this.keyResolver = new ConstrainedVerificationKeyResolver(httpsJwksVerificationKeyResolver, Collections.singleton(algorithmWhitelist));
    }

    @Test
    public void testResolveKey() throws UnresolvableKeyException {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setHeader("jku", this.jwksUri);
        jsonWebSignature.setAlgorithmHeaderValue("RS256");
        jsonWebSignature.setKeyIdHeaderValue("568ed7c4-e11a-64b2-5371-36c5b2ae2dcb");
        Assertions.assertNotNull(this.keyResolver.resolveKey(jsonWebSignature, new ArrayList()));
    }

    @Test
    public void testUnResolveKeyInvalidKid() {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setHeader("jku", this.jwksUri);
        jsonWebSignature.setAlgorithmHeaderValue("RS256");
        jsonWebSignature.setHeader("kid", "k1");
        Assertions.assertTrue(((Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.keyResolver.resolveKey(jsonWebSignature, new ArrayList());
        })).getMessage().contains("\"kid\":\"k1\""));
    }

    @Test
    public void testUnResolveKeyNoKid() {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setHeader("jku", this.jwksUri);
        jsonWebSignature.setAlgorithmHeaderValue("RS256");
        Assertions.assertEquals("Failed to resolve key", ((Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.keyResolver.resolveKey(jsonWebSignature, new ArrayList());
        })).getMessage());
    }

    @Test
    public void testResolveKeyAlgorithmNotWhiteListed() {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setHeader("jku", this.jwksUri);
        jsonWebSignature.setAlgorithmHeaderValue("ES256");
        jsonWebSignature.setKeyIdHeaderValue("43eeb8e1-6f06-551a-9017-92885575f0a1");
        Exception exc = (Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.keyResolver.resolveKey(jsonWebSignature, new ArrayList());
        });
        Assertions.assertTrue(exc.getCause() instanceof KeyConstraintException);
        Assertions.assertTrue(exc.getCause().getMessage().contains("ES256"));
    }
}
