package org.apache.activemq.artemis.spi.core.security.jaas;

import java.io.File;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import org.apache.activemq.artemis.spi.core.security.jaas.kubernetes.TokenCallbackHandler;
import org.apache.activemq.artemis.spi.core.security.jaas.kubernetes.client.KubernetesClient;
import org.apache.activemq.artemis.spi.core.security.jaas.kubernetes.model.TokenReview;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Test;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/activemq/artemis/spi/core/security/jaas/KubernetesLoginModuleTest.class */
public class KubernetesLoginModuleTest {
    private final KubernetesClient client = (KubernetesClient) Mockito.mock(KubernetesClient.class);
    private final KubernetesLoginModule loginModule = new KubernetesLoginModule(this.client);
    private static final String TOKEN = "the_token";
    public static final String USERNAME = "system:serviceaccounts:some-ns:kermit";
    public static final String AUTH_JSON = "{\"status\": {\"authenticated\": true, \"user\": {  \"username\": \"system:serviceaccounts:some-ns:kermit\"}}}";
    public static final String UNAUTH_JSON = "{\"status\": {\"authenticated\": false }}";

    @Test
    public void testBasicLogin() throws LoginException {
        TokenCallbackHandler tokenCallbackHandler = new TokenCallbackHandler(TOKEN);
        Subject subject = new Subject();
        this.loginModule.initialize(subject, tokenCallbackHandler, Collections.emptyMap(), getDefaultOptions());
        Mockito.when(this.client.getTokenReview(TOKEN)).thenReturn(TokenReview.fromJsonString(AUTH_JSON));
        Assert.assertTrue(this.loginModule.login());
        Assert.assertTrue(this.loginModule.commit());
        MatcherAssert.assertThat(subject.getPrincipals(UserPrincipal.class), Matchers.hasSize(1));
        subject.getPrincipals(ServiceAccountPrincipal.class).forEach(serviceAccountPrincipal -> {
            MatcherAssert.assertThat(serviceAccountPrincipal.getName(), Matchers.is(USERNAME));
            MatcherAssert.assertThat(serviceAccountPrincipal.getSaName(), Matchers.is("kermit"));
            MatcherAssert.assertThat(serviceAccountPrincipal.getNamespace(), Matchers.is("some-ns"));
        });
        Set principals = subject.getPrincipals(RolePrincipal.class);
        MatcherAssert.assertThat(principals, Matchers.hasSize(2));
        MatcherAssert.assertThat(principals, Matchers.containsInAnyOrder(new RolePrincipal[]{new RolePrincipal("muppet"), new RolePrincipal("admin")}));
        Assert.assertTrue(this.loginModule.logout());
        Assert.assertFalse(this.loginModule.commit());
        MatcherAssert.assertThat(subject.getPrincipals(), Matchers.empty());
        ((KubernetesClient) Mockito.verify(this.client, Mockito.times(1))).getTokenReview(TOKEN);
    }

    @Test
    public void testFailedLogin() throws LoginException {
        TokenCallbackHandler tokenCallbackHandler = new TokenCallbackHandler(TOKEN);
        Subject subject = new Subject();
        this.loginModule.initialize(subject, tokenCallbackHandler, Collections.emptyMap(), getDefaultOptions());
        Mockito.when(this.client.getTokenReview(TOKEN)).thenReturn(TokenReview.fromJsonString(UNAUTH_JSON));
        Assert.assertFalse(this.loginModule.login());
        Assert.assertFalse(this.loginModule.commit());
        MatcherAssert.assertThat(subject.getPrincipals(), Matchers.empty());
        ((KubernetesClient) Mockito.verify(this.client, Mockito.times(1))).getTokenReview(TOKEN);
    }

    @Test
    public void testNullToken() throws LoginException {
        TokenCallbackHandler tokenCallbackHandler = new TokenCallbackHandler(null);
        Subject subject = new Subject();
        this.loginModule.initialize(subject, tokenCallbackHandler, Collections.emptyMap(), getDefaultOptions());
        try {
            Assert.assertFalse(this.loginModule.login());
            Assert.fail("Exception expected");
        } catch (LoginException e) {
            Assert.assertNotNull(e);
        }
        Assert.assertFalse(this.loginModule.commit());
        MatcherAssert.assertThat(subject.getPrincipals(), Matchers.empty());
        Mockito.verifyNoInteractions(new Object[]{this.client});
    }

    @Test
    public void testUnableToVerifyToken() throws LoginException {
        TokenCallbackHandler tokenCallbackHandler = new TokenCallbackHandler(TOKEN);
        Subject subject = new Subject();
        this.loginModule.initialize(subject, tokenCallbackHandler, Collections.emptyMap(), getDefaultOptions());
        Mockito.when(this.client.getTokenReview(TOKEN)).thenReturn(new TokenReview());
        Assert.assertFalse(this.loginModule.login());
        Assert.assertFalse(this.loginModule.commit());
        MatcherAssert.assertThat(subject.getPrincipals(), Matchers.empty());
        ((KubernetesClient) Mockito.verify(this.client, Mockito.times(1))).getTokenReview(TOKEN);
    }

    private Map<String, ?> getDefaultOptions() {
        return Map.of("org.apache.activemq.jaas.kubernetes.role", "k8s-roles.properties", "baseDir", new File(KubernetesLoginModuleTest.class.getClassLoader().getResource("k8s-roles.properties").getPath()).getParentFile().getAbsolutePath());
    }
}
