package io.confluent.security.authentication.oauthbearer;

import io.confluent.security.authentication.oauthbearer.MockJwtSource;
import io.spiffe.workloadapi.JwtSource;
import java.util.ArrayList;
import java.util.Collections;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.lang.UnresolvableKeyException;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JwtIssuerSpireVerificationKeyResolverTest.class */
public class JwtIssuerSpireVerificationKeyResolverTest {
    private JsonWebSignature jws;
    private JwtClaims claims;
    private final JwtSource jwtSource = new MockJwtSource();
    private final SpireVerificationKeyResolver spireVerificationKeyResolver = new SpireVerificationKeyResolver(this.jwtSource);
    private final Constraint algorithmWhiteList = new AlgorithmWhitelist(JwksTestFixture.getStaticConfig().algorithmWhitelist());
    private final ConstrainedVerificationKeyResolver constrainedVerificationKeyResolver = new ConstrainedVerificationKeyResolver(this.spireVerificationKeyResolver, Collections.singleton(this.algorithmWhiteList));
    private final String spireIssuerName = "test.prefix.spire.internal.confluent.cloud";

    @BeforeEach
    public void setUp() {
        this.jws = new JsonWebSignature();
        this.claims = new JwtClaims();
    }

    @Test
    public void testResolveKey() throws UnresolvableKeyException {
        this.claims.setIssuer("test.prefix.spire.internal.confluent.cloud");
        this.claims.setSubject("spiffe://" + MockJwtSource.SPIRE_TRUST_DOMAIN_1 + "/test-workload");
        this.jws.setPayload(this.claims.toJson());
        this.jws.setAlgorithmHeaderValue("RS256");
        this.jws.setKeyIdHeaderValue(MockJwtSource.Kid.RSA_SPIRE_1.name());
        Assertions.assertNotNull(this.constrainedVerificationKeyResolver.resolveKey(this.jws, new ArrayList()));
        this.jws.setKeyIdHeaderValue(MockJwtSource.Kid.EU_SPIRE_1.name());
        Assertions.assertNotNull(this.constrainedVerificationKeyResolver.resolveKey(this.jws, new ArrayList()));
    }

    @Test
    public void testResolveKeyEmptyOrNullOrInvalidIssuer() {
        this.claims.setSubject("spiffe://" + MockJwtSource.SPIRE_TRUST_DOMAIN_1 + "/test-workload");
        this.jws.setPayload(this.claims.toJson());
        this.jws.setAlgorithmHeaderValue("RS256");
        this.jws.setKeyIdHeaderValue(MockJwtSource.Kid.RSA_SPIRE_1.name());
        Assertions.assertEquals("Cannot find issuer payload from jws with error", ((Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.constrainedVerificationKeyResolver.resolveKey(this.jws, new ArrayList());
        })).getMessage());
        this.claims.setIssuer("");
        this.jws.setPayload(this.claims.toJson());
        Assertions.assertEquals("Cannot find issuer payload from jws with error", ((Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.constrainedVerificationKeyResolver.resolveKey(this.jws, new ArrayList());
        })).getMessage());
        this.claims.setIssuer(JwksTestFixture.PEM_ISS);
        this.jws.setPayload(this.claims.toJson());
        Assertions.assertEquals("Token issuer: Confluent is not SPIRE", ((Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.constrainedVerificationKeyResolver.resolveKey(this.jws, new ArrayList());
        })).getMessage());
    }

    @Test
    public void testResolveKeyEmptyOrNullOrInvalidSubject() {
        this.claims.setIssuer("test.prefix.spire.internal.confluent.cloud");
        this.jws.setPayload(this.claims.toJson());
        this.jws.setAlgorithmHeaderValue("RS256");
        this.jws.setKeyIdHeaderValue(MockJwtSource.Kid.RSA_SPIRE_1.name());
        Assertions.assertEquals("Unable to get subject payload from jws with error", ((Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.constrainedVerificationKeyResolver.resolveKey(this.jws, new ArrayList());
        })).getMessage());
        this.claims.setSubject("");
        this.jws.setPayload(this.claims.toJson());
        Assertions.assertEquals("Unable to get subject payload from jws with error", ((Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.constrainedVerificationKeyResolver.resolveKey(this.jws, new ArrayList());
        })).getMessage());
        this.claims.setSubject("spife://" + MockJwtSource.SPIRE_TRUST_DOMAIN_1 + "/test-workload");
        this.jws.setPayload(this.claims.toJson());
        Assertions.assertEquals("Unable to parse the subject spife://spire.test.domain.one/test-workload as SPIFFE ID", ((Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.constrainedVerificationKeyResolver.resolveKey(this.jws, new ArrayList());
        })).getMessage());
    }

    @Test
    public void testResolveKeyUnknownTrustDomain() {
        this.claims.setIssuer("test.prefix.spire.internal.confluent.cloud");
        this.claims.setSubject("spiffe://unknown.trust.domain/test-workload");
        this.jws.setPayload(this.claims.toJson());
        this.jws.setAlgorithmHeaderValue("RS256");
        this.jws.setKeyIdHeaderValue(MockJwtSource.Kid.RSA_SPIRE_1.name());
        Assertions.assertEquals("Unable to get jwt bundle from jwt source for subject spiffe://unknown.trust.domain/test-workload", ((Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.constrainedVerificationKeyResolver.resolveKey(this.jws, new ArrayList());
        })).getMessage());
    }

    @Test
    public void testResolveKeyEmptyOrNullOrInvalidKid() {
        this.claims.setIssuer("test.prefix.spire.internal.confluent.cloud");
        this.claims.setSubject("spiffe://" + MockJwtSource.SPIRE_TRUST_DOMAIN_1 + "/test-workload");
        this.jws.setPayload(this.claims.toJson());
        this.jws.setAlgorithmHeaderValue("RS256");
        Assertions.assertEquals("Unable to get kid in the JWS with header {\"alg\":\"RS256\"}", ((Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.constrainedVerificationKeyResolver.resolveKey(this.jws, new ArrayList());
        })).getMessage());
        this.jws.setKeyIdHeaderValue("");
        Assertions.assertEquals("Unable to get kid in the JWS with header {\"alg\":\"RS256\",\"kid\":\"\"}", ((Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.constrainedVerificationKeyResolver.resolveKey(this.jws, new ArrayList());
        })).getMessage());
        this.jws.setKeyIdHeaderValue(MockJwtSource.Kid.RSA_SPIRE_2.name());
        Assertions.assertEquals("Unable to find a suitable verification key for JWS with header {\"alg\":\"RS256\",\"kid\":\"RSA_SPIRE_2\"}", ((Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.constrainedVerificationKeyResolver.resolveKey(this.jws, new ArrayList());
        })).getMessage());
    }

    @Test
    public void testResolveKeyNullJwtSource() {
        ConstrainedVerificationKeyResolver constrainedVerificationKeyResolver = new ConstrainedVerificationKeyResolver(new SpireVerificationKeyResolver((JwtSource) null), Collections.singleton(this.algorithmWhiteList));
        this.claims.setIssuer("test.prefix.spire.internal.confluent.cloud");
        this.claims.setSubject("spiffe://" + MockJwtSource.SPIRE_TRUST_DOMAIN_1 + "/test-workload");
        this.jws.setPayload(this.claims.toJson());
        this.jws.setAlgorithmHeaderValue("RS256");
        Assertions.assertEquals("Jwt source not initialized. Unable to get jwt bundle for subject spiffe://spire.test.domain.one/test-workload", ((Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            constrainedVerificationKeyResolver.resolveKey(this.jws, new ArrayList());
        })).getMessage());
    }
}
