package io.confluent.security.authentication.oauthbearer;

import io.confluent.security.authentication.AuthenticationException;
import io.confluent.security.authentication.AuthenticationExceptionReasonCodes;
import io.confluent.security.authentication.Authenticator;
import io.confluent.security.authentication.credential.BearerCredential;
import io.confluent.security.authentication.oauthbearer.JwksTestFixture;
import io.confluent.security.util.SecurityContext;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.lang.JoseException;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JwtAuthenticatorTest.class */
public class JwtAuthenticatorTest {

    @FunctionalInterface
    /* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JwtAuthenticatorTest$TernaryFunction.class */
    interface TernaryFunction<Arg1, Arg2, Arg3, Ret> {
        Ret apply(Arg1 arg1, Arg2 arg2, Arg3 arg3);
    }

    @Test
    public void testValidJwsStatic() throws JoseException {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer(JwksTestFixture.PEM_ISS);
        jwtClaims.setAudience(JwksTestFixture.VALID_AUD);
        jwtClaims.setSubject("rsaSubject");
        jwtClaims.setExpirationTimeMinutesInTheFuture(60.0f);
        jwtClaims.setNotBefore(NumericDate.now());
        jwtClaims.setIssuedAt(NumericDate.now());
        Authenticator<BearerCredential, JwtPrincipal> authenticator = JwksTestFixture.authenticator();
        JwtPrincipal authenticate = authenticator.authenticate(JwksTestFixture.createEncodedJws(JwksTestFixture.Kid.RSA_PEM, jwtClaims));
        Assertions.assertEquals("rsaSubject", authenticate.subject());
        Assertions.assertEquals(JwksTestFixture.PEM_ISS, authenticate.issuer());
        jwtClaims.setSubject("ecSubject");
        JwtPrincipal authenticate2 = authenticator.authenticate(JwksTestFixture.createEncodedJws(JwksTestFixture.Kid.EC_PEM, jwtClaims));
        Assertions.assertEquals("ecSubject", authenticate2.subject());
        Assertions.assertEquals(JwksTestFixture.PEM_ISS, authenticate2.issuer());
    }

    @Test
    public void testValidJwsJwks() throws JoseException {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer(JwksTestFixture.JWKS_ISS);
        jwtClaims.setAudience(JwksTestFixture.VALID_AUD);
        jwtClaims.setSubject("rsaSubject");
        jwtClaims.setExpirationTimeMinutesInTheFuture(60.0f);
        jwtClaims.setNotBefore(NumericDate.now());
        jwtClaims.setIssuedAt(NumericDate.now());
        Authenticator<BearerCredential, JwtPrincipal> authenticator = JwksTestFixture.authenticator();
        JwtPrincipal authenticate = authenticator.authenticate(JwksTestFixture.createEncodedJws(JwksTestFixture.Kid.RSA_JWKS, jwtClaims));
        Assertions.assertEquals("rsaSubject", authenticate.subject());
        Assertions.assertEquals(JwksTestFixture.JWKS_ISS, authenticate.issuer());
        jwtClaims.setSubject("ecSubject");
        JwtPrincipal authenticate2 = authenticator.authenticate(JwksTestFixture.createEncodedJws(JwksTestFixture.Kid.EC_JWKS, jwtClaims));
        Assertions.assertEquals("ecSubject", authenticate2.subject());
        Assertions.assertEquals(JwksTestFixture.JWKS_ISS, authenticate2.issuer());
    }

    @Test
    public void testValidJwsJku() throws JoseException {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer(JwksTestFixture.JKU_ISS);
        jwtClaims.setAudience(JwksTestFixture.VALID_AUD);
        jwtClaims.setSubject("rsaSubject");
        jwtClaims.setExpirationTimeMinutesInTheFuture(60.0f);
        jwtClaims.setNotBefore(NumericDate.now());
        jwtClaims.setIssuedAt(NumericDate.now());
        Authenticator<BearerCredential, JwtPrincipal> authenticator = JwksTestFixture.authenticator();
        JsonWebSignature createJws = JwksTestFixture.createJws(JwksTestFixture.Kid.RSA_JKU, jwtClaims);
        createJws.setHeader("jku", "https://auth-static.confluent.io/jwks");
        JwtPrincipal authenticate = authenticator.authenticate(new BearerCredential(createJws.getCompactSerialization()));
        Assertions.assertEquals("rsaSubject", authenticate.subject());
        Assertions.assertEquals(JwksTestFixture.JKU_ISS, authenticate.issuer());
        jwtClaims.setSubject("ecSubject");
        JsonWebSignature createJws2 = JwksTestFixture.createJws(JwksTestFixture.Kid.EC_JKU, jwtClaims);
        createJws2.setHeader("jku", "https://auth-static.confluent.io/jwks");
        JwtPrincipal authenticate2 = authenticator.authenticate(new BearerCredential(createJws2.getCompactSerialization()));
        Assertions.assertEquals("ecSubject", authenticate2.subject());
        Assertions.assertEquals(JwksTestFixture.JKU_ISS, authenticate2.issuer());
    }

    @Test
    public void testAlgorithmWhitelistStatic() {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer(JwksTestFixture.PEM_ISS);
        jwtClaims.setAudience(JwksTestFixture.VALID_AUD);
        jwtClaims.setSubject("rsaSubject");
        jwtClaims.setExpirationTimeMinutesInTheFuture(60.0f);
        jwtClaims.setNotBefore(NumericDate.now());
        Authenticator<BearerCredential, JwtPrincipal> authenticator = JwksTestFixture.authenticator();
        AuthenticationException assertThrows = Assertions.assertThrows(AuthenticationException.class, () -> {
            authenticator.authenticate(JwksTestFixture.createEncodedJws(JwksTestFixture.Kid.RSA_EXCLUDE_PEM, jwtClaims));
        });
        Assertions.assertEquals("Failed to authenticate bearer credentials : InvalidJwtException - Headers: [{\"alg\":\"RS512\"}], Additional Details: [[JWT header field alg is not allow listed - The JWT header field Algorithm {alg} is invalid as it is not allow listed., relatedClaims: {userResourceId=null, userId=null}, identityInfo: {}]] -> KeyConstraintException", assertThrows.getMessage());
        Assertions.assertEquals(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_HEADER_ALG_INVALID.name(), assertThrows.reasonCode());
    }

    @Test
    public void testAlgorithmWhitelistJwks() {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer(JwksTestFixture.JWKS_ISS);
        jwtClaims.setAudience(JwksTestFixture.VALID_AUD);
        jwtClaims.setSubject("rsaSubject");
        jwtClaims.setExpirationTimeMinutesInTheFuture(60.0f);
        jwtClaims.setNotBefore(NumericDate.now());
        Authenticator<BearerCredential, JwtPrincipal> authenticator = JwksTestFixture.authenticator();
        AuthenticationException assertThrows = Assertions.assertThrows(AuthenticationException.class, () -> {
            authenticator.authenticate(JwksTestFixture.createEncodedJws(JwksTestFixture.Kid.RSA_EXCLUDE_JWKS, jwtClaims));
        });
        Assertions.assertEquals("Failed to authenticate bearer credentials : InvalidJwtException - Headers: [{\"kid\":\"RSA_EXCLUDE_JWKS\",\"alg\":\"RS512\"}], Additional Details: [[JWT header field alg is not allow listed - The JWT header field Algorithm {alg} is invalid as it is not allow listed., relatedClaims: {userResourceId=null, userId=null}, identityInfo: {}]] -> KeyConstraintException", assertThrows.getMessage());
        Assertions.assertEquals(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_HEADER_ALG_INVALID.name(), assertThrows.reasonCode());
    }

    @Test
    public void testAlgorithmWhitelistJku() {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer(JwksTestFixture.JKU_ISS);
        jwtClaims.setAudience(JwksTestFixture.VALID_AUD);
        jwtClaims.setSubject("rsaSubject");
        jwtClaims.setExpirationTimeMinutesInTheFuture(60.0f);
        jwtClaims.setNotBefore(NumericDate.now());
        Authenticator<BearerCredential, JwtPrincipal> authenticator = JwksTestFixture.authenticator();
        AuthenticationException assertThrows = Assertions.assertThrows(AuthenticationException.class, () -> {
            authenticator.authenticate(JwksTestFixture.createEncodedJws(JwksTestFixture.Kid.RSA_EXCLUDE_JKU, jwtClaims));
        });
        Assertions.assertEquals("Failed to authenticate bearer credentials : InvalidJwtException - Headers: [{\"kid\":\"RSA_EXCLUDE_JKU\",\"alg\":\"RS512\"}], Additional Details: [[JWT header field alg is not allow listed - The JWT header field Algorithm {alg} is invalid as it is not allow listed., relatedClaims: {userResourceId=null, userId=null}, identityInfo: {}]] -> KeyConstraintException", assertThrows.getMessage());
        Assertions.assertEquals(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_HEADER_ALG_INVALID.name(), assertThrows.reasonCode());
    }

    @Test
    public void testUnknownIss() {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer("NOT_VALID_ISS");
        jwtClaims.setAudience(JwksTestFixture.VALID_AUD);
        jwtClaims.setSubject("mockSubject");
        jwtClaims.setExpirationTimeMinutesInTheFuture(60.0f);
        jwtClaims.setNotBefore(NumericDate.now());
        Authenticator<BearerCredential, JwtPrincipal> authenticator = JwksTestFixture.authenticator();
        AuthenticationException assertThrows = Assertions.assertThrows(AuthenticationException.class, () -> {
            authenticator.authenticate(JwksTestFixture.createEncodedJws(jwtClaims));
        });
        Assertions.assertEquals("Failed to authenticate bearer credentials : AuthenticationException [Authentication Exception - Unrecognized issuer NOT_VALID_ISS, token issuer unrecognized, relatedClaims: {}, identityInfo: {}]", assertThrows.getMessage());
        Assertions.assertEquals(assertThrows.reasonCode(), "TOKEN_ISSUER_UNRECOGNIZED");
    }

    @Test
    public void testUnknownIssWithWildCard() throws JoseException {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer("UNKNOWN_ISS");
        jwtClaims.setAudience(JwksTestFixture.VALID_AUD);
        jwtClaims.setSubject("rsaSubject");
        jwtClaims.setExpirationTimeMinutesInTheFuture(60.0f);
        jwtClaims.setNotBefore(NumericDate.now());
        jwtClaims.setIssuedAt(NumericDate.now());
        JwtPrincipal authenticate = JwksTestFixture.authenticator(JwksTestFixture.authConfig(true)).authenticate(JwksTestFixture.createEncodedJws(JwksTestFixture.Kid.RSA_PEM, jwtClaims));
        Assertions.assertEquals("rsaSubject", authenticate.subject());
        Assertions.assertEquals("UNKNOWN_ISS", authenticate.issuer());
    }

    @Test
    public void testInvalidAud() {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer(JwksTestFixture.PEM_ISS);
        jwtClaims.setAudience("NOT_VALID_AUD");
        jwtClaims.setSubject("mockSubject");
        jwtClaims.setExpirationTimeMinutesInTheFuture(60.0f);
        jwtClaims.setNotBefore(NumericDate.now());
        jwtClaims.setIssuedAt(NumericDate.now());
        jwtClaims.setClaim("userId", "1234567");
        jwtClaims.setClaim("userResourceId", "u-ab34a");
        Authenticator<BearerCredential, JwtPrincipal> authenticator = JwksTestFixture.authenticator();
        AuthenticationException assertThrows = Assertions.assertThrows(AuthenticationException.class, () -> {
            authenticator.authenticate(JwksTestFixture.createEncodedJws(jwtClaims));
        });
        Assertions.assertEquals("Failed to authenticate bearer credentials : InvalidJwtException - Headers: [{\"alg\":\"RS256\"}], Additional Details: [[JWT aud claim has unexpected value - The JWT Audience {aud} claim has unexpected value., relatedClaims: {userResourceId=u-ab34a, userId=1234567}, identityInfo: {}]]", assertThrows.getMessage());
        Assertions.assertEquals(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_AUD_CLAIM_INVALID.name(), assertThrows.reasonCode());
    }

    @Test
    public void testMissingClaims() {
        SecurityContext securityContext = new SecurityContext();
        securityContext.add("identityPoolId", "pool-12345");
        securityContext.add("providerId", "someproviderid");
        TernaryFunction ternaryFunction = (jwtClaims, str, str2) -> {
            Authenticator<BearerCredential, JwtPrincipal> authenticator = JwksTestFixture.authenticator();
            AuthenticationException assertThrows = Assertions.assertThrows(AuthenticationException.class, () -> {
                ((JwtAuthenticator) authenticator).authenticate(JwksTestFixture.createEncodedJws(jwtClaims), securityContext);
            });
            Assertions.assertEquals(str, assertThrows.getMessage());
            Assertions.assertEquals(str2, assertThrows.reasonCode());
            return assertThrows;
        };
        JwtClaims jwtClaims2 = new JwtClaims();
        jwtClaims2.setIssuer(JwksTestFixture.PEM_ISS);
        jwtClaims2.setAudience(JwksTestFixture.VALID_AUD);
        jwtClaims2.setSubject("mockSubject");
        jwtClaims2.setNotBefore(NumericDate.now());
        ternaryFunction.apply(jwtClaims2, "Failed to authenticate bearer credentials : InvalidJwtException - Headers: [{\"alg\":\"RS256\"}], Additional Details: [[JWT exp claim missing - The JWT had no Expiration Time {exp} claim but it is configured to be required., relatedClaims: {userResourceId=null, userId=null}, identityInfo: {providerId=someproviderid, identityPoolId=pool-12345}]]", AuthenticationExceptionReasonCodes.ErrorTypes.JWT_EXP_CLAIM_MISSING.name());
        JwtClaims jwtClaims3 = new JwtClaims();
        jwtClaims3.setIssuer(JwksTestFixture.PEM_ISS);
        jwtClaims3.setSubject("mockSubject");
        jwtClaims3.setExpirationTimeMinutesInTheFuture(60.0f);
        ternaryFunction.apply(jwtClaims3, "Failed to authenticate bearer credentials : InvalidJwtException - Headers: [{\"alg\":\"RS256\"}], Additional Details: [[JWT aud claim missing - The JWT had no Audience {aud} claim but it is configured to be required., relatedClaims: {userResourceId=null, userId=null}, identityInfo: {providerId=someproviderid, identityPoolId=pool-12345}]]", AuthenticationExceptionReasonCodes.ErrorTypes.JWT_AUD_CLAIM_MISSING.name());
        JwtClaims jwtClaims4 = new JwtClaims();
        jwtClaims4.setAudience(JwksTestFixture.VALID_AUD);
        jwtClaims4.setSubject("mockSubject");
        jwtClaims4.setExpirationTimeMinutesInTheFuture(60.0f);
        ternaryFunction.apply(jwtClaims4, "Failed to authenticate bearer credentials : IllegalArgumentException [Illegal Argument Exception - Bearer token missing required issuer claim, relatedClaims: {}, identityInfo: {providerId=someproviderid, identityPoolId=pool-12345}]", "TOKEN_ISSUER_CLAIM_ABSENT");
        JwtClaims jwtClaims5 = new JwtClaims();
        jwtClaims5.setIssuer(JwksTestFixture.PEM_ISS);
        jwtClaims5.setAudience(JwksTestFixture.VALID_AUD);
        jwtClaims5.setExpirationTimeMinutesInTheFuture(60.0f);
        ternaryFunction.apply(jwtClaims5, "Failed to authenticate bearer credentials : InvalidJwtException - Headers: [{\"alg\":\"RS256\"}], Additional Details: [[JWT sub claim missing - The JWT had no Subject {sub} claim but it is configured to be required., relatedClaims: {userResourceId=null, userId=null}, identityInfo: {providerId=someproviderid, identityPoolId=pool-12345}]]", AuthenticationExceptionReasonCodes.ErrorTypes.JWT_SUB_CLAIM_MISSING.name());
    }

    @Test
    public void testExpiredJws() throws MalformedClaimException {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer(JwksTestFixture.PEM_ISS);
        jwtClaims.setAudience(JwksTestFixture.VALID_AUD);
        jwtClaims.setSubject("mockSubject");
        jwtClaims.setExpirationTimeMinutesInTheFuture(-60.0f);
        jwtClaims.setNotBefore(NumericDate.now());
        Authenticator<BearerCredential, JwtPrincipal> authenticator = JwksTestFixture.authenticator();
        Assertions.assertEquals("Failed to authenticate bearer credentials : InvalidJwtException - Headers: [{\"alg\":\"RS256\"}], Additional Details: [[JWT is expired - The JWT Expiration Time {exp} claim identified a time in the past., relatedClaims: {userResourceId=null, exp=" + jwtClaims.getExpirationTime().getValue() + ", userId=null}, identityInfo: {}]]", ((Exception) Assertions.assertThrows(AuthenticationException.class, () -> {
            authenticator.authenticate(JwksTestFixture.createEncodedJws(jwtClaims));
        })).getMessage());
    }

    @Test
    public void testNbfInFuture() {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer(JwksTestFixture.PEM_ISS);
        jwtClaims.setAudience(JwksTestFixture.VALID_AUD);
        jwtClaims.setSubject("mockSubject");
        jwtClaims.setExpirationTimeMinutesInTheFuture(60.0f);
        jwtClaims.setClaim("userId", "1234567");
        jwtClaims.setClaim("userResourceId", "u-1ab23c");
        NumericDate now = NumericDate.now();
        now.addSeconds(1000L);
        jwtClaims.setNotBefore(now);
        Authenticator<BearerCredential, JwtPrincipal> authenticator = JwksTestFixture.authenticator();
        SecurityContext securityContext = new SecurityContext();
        securityContext.add("identityPoolId", "pool-abcd");
        securityContext.add("providerId", "someproviderId");
        AuthenticationException assertThrows = Assertions.assertThrows(AuthenticationException.class, () -> {
            ((JwtAuthenticator) authenticator).authenticate(JwksTestFixture.createEncodedJws(jwtClaims), securityContext);
        });
        Assertions.assertEquals("Failed to authenticate bearer credentials : InvalidJwtException - Headers: [{\"alg\":\"RS256\"}], Additional Details: [[JWT nbf claim is not valid yet - The JWT Not Before claim {nbf} indicates that it is not yet valid., relatedClaims: {nbf=" + now.getValue() + ", userResourceId=u-1ab23c, userId=1234567}, identityInfo: {providerId=someproviderId, identityPoolId=pool-abcd}]]", assertThrows.getMessage());
        Assertions.assertEquals(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_NBF_CLAIM_NOT_VALID_YET.name(), assertThrows.reasonCode());
    }

    @Test
    public void testUnresolvableKeyInvalidKid() {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer(JwksTestFixture.PEM_ISS);
        jwtClaims.setAudience(JwksTestFixture.VALID_AUD);
        jwtClaims.setSubject("mockSubject");
        jwtClaims.setExpirationTimeMinutesInTheFuture(60.0f);
        jwtClaims.setNotBefore(NumericDate.now());
        Authenticator<BearerCredential, JwtPrincipal> authenticator = JwksTestFixture.authenticator();
        JsonWebSignature createJws = JwksTestFixture.createJws(jwtClaims);
        createJws.setKeyIdHeaderValue("Not known kid");
        AuthenticationException assertThrows = Assertions.assertThrows(AuthenticationException.class, () -> {
            authenticator.authenticate(new BearerCredential(createJws.getCompactSerialization()));
        });
        Assertions.assertEquals("Failed to authenticate bearer credentials : InvalidJwtException - Headers: [{\"alg\":\"RS256\",\"kid\":\"Not known kid\"}], Additional Details: [[JWT header field kid has no mapped public keys - The JWT header field Key Id {kid} is invalid as we could not find a suitable corresponding verification key., relatedClaims: {userResourceId=null, userId=null}, identityInfo: {}]] -> UnresolvableKeyException", assertThrows.getMessage());
        Assertions.assertEquals(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_HEADER_KID_LOOKUP_FAILED.name(), assertThrows.reasonCode());
    }
}
