package org.apache.kafka.connect.runtime.rest;

import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.ws.rs.core.HttpHeaders;
import org.apache.kafka.connect.errors.ConnectException;
import org.apache.kafka.connect.runtime.distributed.Crypto;
import org.apache.kafka.connect.runtime.rest.errors.BadRequestException;
import org.eclipse.jetty.client.api.Request;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.ArgumentCaptor;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.mockito.junit.MockitoJUnitRunner;

@RunWith(MockitoJUnitRunner.StrictStubs.class)
/* loaded from: input_file:org/apache/kafka/connect/runtime/rest/InternalRequestSignatureTest.class */
public class InternalRequestSignatureTest {
    private static final byte[] REQUEST_BODY = "[{\"config\":\"value\"},{\"config\":\"other_value\"}]".getBytes();
    private static final String SIGNATURE_ALGORITHM = "HmacSHA256";
    private static final SecretKey KEY = new SecretKeySpec(new byte[]{109, 116, -111, 49, -94, 25, -103, 44, -99, -118, 53, -69, 87, -124, 5, 48, 89, -105, -2, 58, -92, 87, 67, 49, -125, -79, -39, -126, -51, -53, -85, 57}, SIGNATURE_ALGORITHM);
    private static final byte[] SIGNATURE = {42, -3, Byte.MAX_VALUE, 57, 43, 49, -51, -43, 72, -62, -10, 120, 123, 125, 26, -65, 36, 72, 86, -71, -32, 13, -8, 115, 85, 73, -65, -112, 6, 68, 41, -50};
    private static final String ENCODED_SIGNATURE = Base64.getEncoder().encodeToString(SIGNATURE);
    private final Crypto crypto = Crypto.SYSTEM;

    @Test
    public void fromHeadersShouldReturnNullOnNullHeaders() {
        Assert.assertNull(InternalRequestSignature.fromHeaders(this.crypto, REQUEST_BODY, (HttpHeaders) null));
    }

    @Test
    public void fromHeadersShouldReturnNullIfSignatureHeaderMissing() {
        Assert.assertNull(InternalRequestSignature.fromHeaders(this.crypto, REQUEST_BODY, internalRequestHeaders(null, SIGNATURE_ALGORITHM)));
    }

    @Test
    public void fromHeadersShouldReturnNullIfSignatureAlgorithmHeaderMissing() {
        Assert.assertNull(InternalRequestSignature.fromHeaders(this.crypto, REQUEST_BODY, internalRequestHeaders(ENCODED_SIGNATURE, null)));
    }

    @Test
    public void fromHeadersShouldThrowExceptionOnInvalidSignatureAlgorithm() {
        Assert.assertThrows(BadRequestException.class, () -> {
            InternalRequestSignature.fromHeaders(this.crypto, REQUEST_BODY, internalRequestHeaders(ENCODED_SIGNATURE, "doesn'texist"));
        });
    }

    @Test
    public void fromHeadersShouldThrowExceptionOnInvalidBase64Signature() {
        Assert.assertThrows(BadRequestException.class, () -> {
            InternalRequestSignature.fromHeaders(this.crypto, REQUEST_BODY, internalRequestHeaders("not valid base 64", SIGNATURE_ALGORITHM));
        });
    }

    @Test
    public void fromHeadersShouldReturnNonNullResultOnValidSignatureAndSignatureAlgorithm() {
        InternalRequestSignature fromHeaders = InternalRequestSignature.fromHeaders(this.crypto, REQUEST_BODY, internalRequestHeaders(ENCODED_SIGNATURE, SIGNATURE_ALGORITHM));
        Assert.assertNotNull(fromHeaders);
        Assert.assertNotNull(fromHeaders.keyAlgorithm());
    }

    @Test
    public void addToRequestShouldThrowExceptionOnInvalidSignatureAlgorithm() throws NoSuchAlgorithmException {
        Request request = (Request) Mockito.mock(Request.class);
        Crypto crypto = (Crypto) Mockito.mock(Crypto.class);
        Mockito.when(crypto.mac(ArgumentMatchers.anyString())).thenThrow(new Throwable[]{new NoSuchAlgorithmException("doesn'texist")});
        Assert.assertThrows(ConnectException.class, () -> {
            InternalRequestSignature.addToRequest(crypto, KEY, REQUEST_BODY, "doesn'texist", request);
        });
    }

    @Test
    public void addToRequestShouldAddHeadersOnValidSignatureAlgorithm() {
        Request request = (Request) Mockito.mock(Request.class);
        ArgumentCaptor forClass = ArgumentCaptor.forClass(String.class);
        ArgumentCaptor forClass2 = ArgumentCaptor.forClass(String.class);
        Mockito.when(request.header((String) ArgumentMatchers.eq("X-Connect-Authorization"), (String) forClass.capture())).thenReturn(request);
        Mockito.when(request.header((String) ArgumentMatchers.eq("X-Connect-Request-Signature-Algorithm"), (String) forClass2.capture())).thenReturn(request);
        InternalRequestSignature.addToRequest(this.crypto, KEY, REQUEST_BODY, SIGNATURE_ALGORITHM, request);
        Assert.assertEquals("Request should have valid base 64-encoded signature added as header", ENCODED_SIGNATURE, forClass.getValue());
        Assert.assertEquals("Request should have provided signature algorithm added as header", SIGNATURE_ALGORITHM, forClass2.getValue());
    }

    @Test
    public void testSignatureValidation() throws Exception {
        Mac mac = Mac.getInstance(SIGNATURE_ALGORITHM);
        Assert.assertTrue(new InternalRequestSignature(REQUEST_BODY, mac, SIGNATURE).isValid(KEY));
        Assert.assertTrue(InternalRequestSignature.fromHeaders(this.crypto, REQUEST_BODY, internalRequestHeaders(ENCODED_SIGNATURE, SIGNATURE_ALGORITHM)).isValid(KEY));
        Assert.assertFalse(new InternalRequestSignature("[{\"different_config\":\"different_value\"}]".getBytes(), mac, SIGNATURE).isValid(KEY));
        Assert.assertFalse(new InternalRequestSignature(REQUEST_BODY, mac, "bad signature".getBytes()).isValid(KEY));
    }

    private static HttpHeaders internalRequestHeaders(String str, String str2) {
        HttpHeaders httpHeaders = (HttpHeaders) Mockito.mock(HttpHeaders.class);
        Mockito.when(httpHeaders.getHeaderString((String) ArgumentMatchers.eq("X-Connect-Authorization"))).thenReturn(str);
        Mockito.when(httpHeaders.getHeaderString((String) ArgumentMatchers.eq("X-Connect-Request-Signature-Algorithm"))).thenReturn(str2);
        return httpHeaders;
    }
}
