package io.confluent.security.authentication.oauthbearer;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.google.common.io.ByteStreams;
import io.confluent.security.authentication.AuthenticationConfig;
import io.confluent.security.authentication.TestJwtIssuerExtension;
import io.confluent.security.config.ConfigurationException;
import io.confluent.security.config.YamlConfigReader;
import java.io.IOException;
import java.io.InputStream;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Objects;
import java.util.Set;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JwtAuthenticationConfigTest.class */
public class JwtAuthenticationConfigTest {
    @Test
    public void testJwtAuthenticationConfigIssuers() {
        JwtAuthenticationConfig jwtAuthenticationConfig = (AuthenticationConfig) new YamlConfigReader().load((URL) Objects.requireNonNull(JwtAuthenticationConfigTest.class.getClassLoader().getResource("configs/AuthConfig.yaml")), AuthenticationConfig.class);
        Assertions.assertNotNull(jwtAuthenticationConfig);
        Assertions.assertTrue(jwtAuthenticationConfig instanceof JwtAuthenticationConfig);
        JwtAuthenticationConfig jwtAuthenticationConfig2 = jwtAuthenticationConfig;
        Assertions.assertEquals(new HashSet<SignatureAlgorithm>() { // from class: io.confluent.security.authentication.oauthbearer.JwtAuthenticationConfigTest.1
            {
                add(SignatureAlgorithm.RS256);
            }
        }, jwtAuthenticationConfig2.algorithmWhitelist());
        Assertions.assertEquals(6, jwtAuthenticationConfig2.issuers().size());
        Assertions.assertEquals("https://vault.cireops.gcp.internal.confluent.cloud/v1/identity/oidc", ((JwtIssuer) jwtAuthenticationConfig2.issuers().get(0)).name());
        Assertions.assertEquals(JwksTestFixture.PEM_ISS, ((JwtIssuer) jwtAuthenticationConfig2.issuers().get(1)).name());
        Assertions.assertTrue(((JwtIssuer) jwtAuthenticationConfig2.issuers().get(2)).name().contains("spire.internal.confluent.cloud"));
        Assertions.assertEquals("pemFactory", ((JwtIssuer) jwtAuthenticationConfig2.issuers().get(3)).name());
        Assertions.assertEquals("custom", ((JwtIssuer) jwtAuthenticationConfig2.issuers().get(4)).name());
        Assertions.assertEquals("*", ((JwtIssuer) jwtAuthenticationConfig2.issuers().get(5)).name());
    }

    @Test
    public void testJwtAuthenticationConfigVerifier() {
        JwtAuthenticationConfig jwtAuthenticationConfig = (AuthenticationConfig) new YamlConfigReader().load((URL) Objects.requireNonNull(JwtAuthenticationConfigTest.class.getClassLoader().getResource("configs/AuthConfig.yaml")), AuthenticationConfig.class);
        Assertions.assertNotNull(jwtAuthenticationConfig);
        Assertions.assertTrue(jwtAuthenticationConfig instanceof JwtAuthenticationConfig);
        JwtAuthenticationConfig jwtAuthenticationConfig2 = jwtAuthenticationConfig;
        Assertions.assertTrue(jwtAuthenticationConfig2.issuers().get(0) instanceof JwtIssuerJwks);
        Assertions.assertTrue(jwtAuthenticationConfig2.issuers().get(1) instanceof JwtIssuerJku);
        Assertions.assertTrue(jwtAuthenticationConfig2.issuers().get(2) instanceof MockJwtIssuerSpire);
        Assertions.assertTrue(jwtAuthenticationConfig2.issuers().get(3) instanceof JwtIssuerStatic);
    }

    @Test
    public void testJwtAuthenticationConfigVerifierJwks() {
        JwtAuthenticationConfig jwtAuthenticationConfig = (AuthenticationConfig) new YamlConfigReader().load((URL) Objects.requireNonNull(JwtAuthenticationConfigTest.class.getClassLoader().getResource("configs/AuthConfig.yaml")), AuthenticationConfig.class);
        Assertions.assertNotNull(jwtAuthenticationConfig);
        Assertions.assertTrue(jwtAuthenticationConfig instanceof JwtAuthenticationConfig);
        JwtIssuerJwks jwtIssuerJwks = (JwtIssuer) jwtAuthenticationConfig.issuers().get(0);
        Assertions.assertTrue(jwtIssuerJwks instanceof JwtIssuerJwks);
        JwtIssuerJwks jwtIssuerJwks2 = jwtIssuerJwks;
        Assertions.assertEquals("https://vault.cireops.gcp.internal.confluent.cloud/v1/identity/oidc/.well-known/keys", jwtIssuerJwks2.jwksUri());
        Assertions.assertEquals(new HashSet<String>() { // from class: io.confluent.security.authentication.oauthbearer.JwtAuthenticationConfigTest.2
            {
                add("C82RLLokthIFn4v4sDYKpJbksC");
                add("z2OPfk0pavN7Xj0UElTUaR1Xqt");
            }
        }, jwtIssuerJwks2.audience());
    }

    @Test
    public void testJwtAuthenticationConfigVerifierJku() {
        JwtAuthenticationConfig jwtAuthenticationConfig = (AuthenticationConfig) new YamlConfigReader().load((URL) Objects.requireNonNull(JwtAuthenticationConfigTest.class.getClassLoader().getResource("configs/AuthConfig.yaml")), AuthenticationConfig.class);
        Assertions.assertNotNull(jwtAuthenticationConfig);
        Assertions.assertTrue(jwtAuthenticationConfig instanceof JwtAuthenticationConfig);
        JwtIssuerJku jwtIssuerJku = (JwtIssuer) jwtAuthenticationConfig.issuers().get(1);
        Assertions.assertTrue(jwtIssuerJku instanceof JwtIssuerJku);
        JwtIssuerJku jwtIssuerJku2 = jwtIssuerJku;
        Assertions.assertEquals(Arrays.asList(".confluent.io", "devel.cpdev.cloud", "stag.cpdev.cloud", ".gcp.priv.cpdev.cloud"), jwtIssuerJku2.domainWhitelist());
        Assertions.assertEquals(Collections.emptySet(), jwtIssuerJku2.audience());
    }

    @Test
    public void testJwtAuthenticationConfigVerifierSpire() {
        JwtAuthenticationConfig jwtAuthenticationConfig = (AuthenticationConfig) new YamlConfigReader().load((URL) Objects.requireNonNull(JwtAuthenticationConfigTest.class.getClassLoader().getResource("configs/AuthConfig.yaml")), AuthenticationConfig.class);
        Assertions.assertNotNull(jwtAuthenticationConfig);
        Assertions.assertTrue(jwtAuthenticationConfig instanceof JwtAuthenticationConfig);
        JwtAuthenticationConfig jwtAuthenticationConfig2 = jwtAuthenticationConfig;
        MockJwtIssuerSpire mockJwtIssuerSpire = (JwtIssuer) jwtAuthenticationConfig2.issuers().get(2);
        Assertions.assertTrue(mockJwtIssuerSpire instanceof MockJwtIssuerSpire);
        Assertions.assertTrue(mockJwtIssuerSpire.name().contains("spire.internal.confluent.cloud"));
        Assertions.assertEquals("tcp://0.0.0.0:31523", jwtAuthenticationConfig2.spireAgentSocketEndpoint());
    }

    @Test
    public void testJwtAuthenticationConfigVerifierStatic() throws URISyntaxException, IOException {
        JwtAuthenticationConfig jwtAuthenticationConfig = (AuthenticationConfig) new YamlConfigReader().load((URL) Objects.requireNonNull(JwtAuthenticationConfigTest.class.getClassLoader().getResource("configs/AuthConfig.yaml")), AuthenticationConfig.class);
        Assertions.assertNotNull(jwtAuthenticationConfig);
        Assertions.assertTrue(jwtAuthenticationConfig instanceof JwtAuthenticationConfig);
        JwtIssuerStatic jwtIssuerStatic = (JwtIssuer) jwtAuthenticationConfig.issuers().get(3);
        Assertions.assertTrue(jwtIssuerStatic instanceof JwtIssuerStatic);
        JwtIssuerStatic jwtIssuerStatic2 = jwtIssuerStatic;
        InputStream openStream = ((URL) Objects.requireNonNull(JwtAuthenticationConfigTest.class.getClassLoader().getResource("configs/pems.json"))).openStream();
        Throwable th = null;
        try {
            try {
                Assertions.assertEquals(new String(ByteStreams.toByteArray(openStream), StandardCharsets.UTF_8), jwtIssuerStatic2.jwks().toJson());
                if (openStream != null) {
                    if (0 != 0) {
                        try {
                            openStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        openStream.close();
                    }
                }
                Assertions.assertEquals(Collections.emptySet(), jwtIssuerStatic2.audience());
            } finally {
            }
        } catch (Throwable th3) {
            if (openStream != null) {
                if (th != null) {
                    try {
                        openStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    openStream.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testJwtAuthenticationConfigVerifierExtension() {
        JwtAuthenticationConfig jwtAuthenticationConfig = (AuthenticationConfig) new YamlConfigReader().load((URL) Objects.requireNonNull(JwtAuthenticationConfigTest.class.getClassLoader().getResource("configs/AuthConfig.yaml")), AuthenticationConfig.class);
        Assertions.assertNotNull(jwtAuthenticationConfig);
        Assertions.assertTrue(jwtAuthenticationConfig instanceof JwtAuthenticationConfig);
        JwtIssuer jwtIssuer = (JwtIssuer) jwtAuthenticationConfig.issuers().get(4);
        Assertions.assertTrue(jwtIssuer instanceof TestJwtIssuerExtension);
        TestJwtIssuerExtension testJwtIssuerExtension = (TestJwtIssuerExtension) jwtIssuer;
        Assertions.assertEquals("custom", testJwtIssuerExtension.name());
        Assertions.assertEquals(new HashSet<String>() { // from class: io.confluent.security.authentication.oauthbearer.JwtAuthenticationConfigTest.3
            {
                add("customAud1");
                add("customAud2");
            }
        }, testJwtIssuerExtension.audience());
    }

    @Test
    public void testConfigStaticIssuerInvalidPemParsing() {
        URL url = (URL) Objects.requireNonNull(JwtAuthenticationConfigTest.class.getClassLoader().getResource("configs/staticAuthConfig-invalid.yaml"));
        YamlConfigReader yamlConfigReader = new YamlConfigReader();
        Assertions.assertTrue(((Exception) Assertions.assertThrows(ConfigurationException.class, () -> {
        })).getCause() instanceof JsonProcessingException);
    }

    @Test
    public void testMissingJwksUri() {
        URL url = (URL) Objects.requireNonNull(JwtAuthenticationConfigTest.class.getClassLoader().getResource("configs/jwtAuthConfig-invalid.yaml"));
        YamlConfigReader yamlConfigReader = new YamlConfigReader();
        Exception exc = (Exception) Assertions.assertThrows(ConfigurationException.class, () -> {
        });
        Assertions.assertTrue(exc.getCause() instanceof JsonProcessingException);
        Assertions.assertTrue(exc.getCause().getMessage().contains("jwksUri must not be null"));
    }

    @Test
    public void testEmptyAlgWhitelist() {
        JwtAuthenticationConfig build = JwtAuthenticationConfig.builder().issuers(Collections.singletonList(JwtIssuerJwks.builder().name("Phony").jwksUri("https://Phony.com/jwks").build())).algorithmWhitelist(Collections.emptySet()).build();
        Assertions.assertNotNull(build);
        Assertions.assertEquals(new HashSet<SignatureAlgorithm>() { // from class: io.confluent.security.authentication.oauthbearer.JwtAuthenticationConfigTest.4
            {
                add(SignatureAlgorithm.RS256);
                add(SignatureAlgorithm.ES256);
            }
        }, build.algorithmWhitelist());
    }

    @Test
    public void testNullAlgWhitelist() {
        JwtAuthenticationConfig build = JwtAuthenticationConfig.builder().issuers(Collections.singletonList(JwtIssuerJwks.builder().name("Phony").jwksUri("https://Phony.com/jwks").build())).algorithmWhitelist((Set) null).build();
        Assertions.assertNotNull(build);
        Assertions.assertEquals(new HashSet<SignatureAlgorithm>() { // from class: io.confluent.security.authentication.oauthbearer.JwtAuthenticationConfigTest.5
            {
                add(SignatureAlgorithm.RS256);
                add(SignatureAlgorithm.ES256);
            }
        }, build.algorithmWhitelist());
    }

    @Test
    public void testRetainCacheOnErrorDuration() {
        JwtAuthenticationConfig jwtAuthenticationConfig = (AuthenticationConfig) new YamlConfigReader().load((URL) Objects.requireNonNull(JwtAuthenticationConfigTest.class.getClassLoader().getResource("configs/AuthConfig.yaml")), AuthenticationConfig.class);
        Assertions.assertNotNull(jwtAuthenticationConfig);
        Assertions.assertTrue(jwtAuthenticationConfig instanceof JwtAuthenticationConfig);
        JwtAuthenticationConfig jwtAuthenticationConfig2 = jwtAuthenticationConfig;
        Assertions.assertTrue(((JwtIssuerJku) jwtAuthenticationConfig2.issuers().get(1)).retainCacheOnErrorDuration() == 100);
        Assertions.assertTrue(((JwtIssuerJku) jwtAuthenticationConfig2.issuers().get(5)).retainCacheOnErrorDuration() == 0);
    }
}
