package org.apache.kafka.common.network;

import java.lang.reflect.Field;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Supplier;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.ConfigDef;
import org.apache.kafka.common.config.internals.BrokerSecurityConfigs;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.message.ApiMessageType;
import org.apache.kafka.common.requests.ApiVersionsResponse;
import org.apache.kafka.common.security.JaasContext;
import org.apache.kafka.common.security.TestSecurityConfig;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.security.authenticator.CredentialCache;
import org.apache.kafka.common.security.authenticator.TestJaasConfig;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule;
import org.apache.kafka.common.security.plain.PlainLoginModule;
import org.apache.kafka.common.security.scram.ScramLoginModule;
import org.apache.kafka.common.security.token.delegation.internals.DelegationTokenCache;
import org.apache.kafka.common.utils.LogContext;
import org.apache.kafka.common.utils.Time;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/kafka/common/network/SaslChannelBuilderTest.class */
public class SaslChannelBuilderTest {

    /* loaded from: input_file:org/apache/kafka/common/network/SaslChannelBuilderTest$TestGssapiLoginModule.class */
    public static final class TestGssapiLoginModule implements LoginModule {
        private Subject subject;

        public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
            this.subject = subject;
        }

        public boolean login() throws LoginException {
            this.subject.getPrincipals().add(new KafkaPrincipal("User", "kafka@kafka1.example.com"));
            return true;
        }

        public boolean commit() throws LoginException {
            return true;
        }

        public boolean abort() throws LoginException {
            return true;
        }

        public boolean logout() throws LoginException {
            return true;
        }
    }

    @AfterEach
    public void tearDown() {
        System.clearProperty("sun.security.jgss.native");
    }

    @Test
    public void testCloseBeforeConfigureIsIdempotent() {
        SaslChannelBuilder createChannelBuilder = createChannelBuilder(SecurityProtocol.SASL_PLAINTEXT, "PLAIN");
        createChannelBuilder.close();
        Assertions.assertTrue(createChannelBuilder.loginManagers().isEmpty());
        createChannelBuilder.close();
        Assertions.assertTrue(createChannelBuilder.loginManagers().isEmpty());
    }

    @Test
    public void testCloseAfterConfigIsIdempotent() {
        SaslChannelBuilder createChannelBuilder = createChannelBuilder(SecurityProtocol.SASL_PLAINTEXT, "PLAIN");
        createChannelBuilder.configure(new HashMap());
        Assertions.assertNotNull(createChannelBuilder.loginManagers().get("PLAIN"));
        createChannelBuilder.close();
        Assertions.assertTrue(createChannelBuilder.loginManagers().isEmpty());
        createChannelBuilder.close();
        Assertions.assertTrue(createChannelBuilder.loginManagers().isEmpty());
    }

    @Test
    public void testLoginManagerReleasedIfConfigureThrowsException() {
        SaslChannelBuilder createChannelBuilder = createChannelBuilder(SecurityProtocol.SASL_SSL, "PLAIN");
        try {
            createChannelBuilder.configure(Collections.singletonMap("ssl.enabled.protocols", "1"));
            Assertions.fail("Exception should have been thrown");
        } catch (KafkaException e) {
            Assertions.assertTrue(createChannelBuilder.loginManagers().isEmpty());
        }
        createChannelBuilder.close();
        Assertions.assertTrue(createChannelBuilder.loginManagers().isEmpty());
    }

    @Test
    public void testNativeGssapiCredentials() throws Exception {
        System.setProperty("sun.security.jgss.native", "true");
        TestJaasConfig testJaasConfig = new TestJaasConfig();
        testJaasConfig.addEntry("jaasContext", TestGssapiLoginModule.class.getName(), new HashMap());
        Map<String, JaasContext> singletonMap = Collections.singletonMap("GSSAPI", new JaasContext("jaasContext", JaasContext.Type.SERVER, testJaasConfig, (Password) null));
        GSSManager gSSManager = (GSSManager) Mockito.mock(GSSManager.class);
        GSSName gSSName = (GSSName) Mockito.mock(GSSName.class);
        Mockito.when(gSSManager.createName(Mockito.anyString(), (Oid) Mockito.any())).thenAnswer(invocationOnMock -> {
            return gSSName;
        });
        Oid oid = new Oid("1.2.840.113554.1.2.2");
        Mockito.when(gSSManager.createCredential(gSSName, Integer.MAX_VALUE, oid, 2)).thenAnswer(invocationOnMock2 -> {
            return (GSSCredential) Mockito.mock(GSSCredential.class);
        });
        SaslChannelBuilder createGssapiChannelBuilder = createGssapiChannelBuilder(singletonMap, gSSManager);
        Assertions.assertEquals(1, createGssapiChannelBuilder.subject("GSSAPI").getPrincipals().size());
        Assertions.assertEquals(1, createGssapiChannelBuilder.subject("GSSAPI").getPrivateCredentials().size());
        SaslChannelBuilder createGssapiChannelBuilder2 = createGssapiChannelBuilder(singletonMap, gSSManager);
        Assertions.assertEquals(1, createGssapiChannelBuilder2.subject("GSSAPI").getPrincipals().size());
        Assertions.assertEquals(1, createGssapiChannelBuilder2.subject("GSSAPI").getPrivateCredentials().size());
        Assertions.assertSame(createGssapiChannelBuilder.subject("GSSAPI"), createGssapiChannelBuilder2.subject("GSSAPI"));
        ((GSSManager) Mockito.verify(gSSManager, Mockito.times(1))).createCredential(gSSName, Integer.MAX_VALUE, oid, 2);
    }

    @Test
    public void testClientChannelBuilderWithBrokerConfigs() throws Exception {
        HashMap hashMap = new HashMap();
        CertStores certStores = new CertStores(false, "client", "localhost");
        hashMap.putAll(certStores.getTrustingConfig(certStores));
        hashMap.put("sasl.kerberos.service.name", "kafka");
        hashMap.putAll(new ConfigDef().withClientSaslSupport().parse(hashMap));
        for (Field field : BrokerSecurityConfigs.class.getFields()) {
            if (field.getName().endsWith("_CONFIG")) {
                hashMap.put(field.get(BrokerSecurityConfigs.class).toString(), "somevalue");
            }
        }
        createChannelBuilder(SecurityProtocol.SASL_PLAINTEXT, "PLAIN").configure(hashMap);
        createChannelBuilder(SecurityProtocol.SASL_PLAINTEXT, "GSSAPI").configure(hashMap);
        createChannelBuilder(SecurityProtocol.SASL_PLAINTEXT, "OAUTHBEARER").configure(hashMap);
        createChannelBuilder(SecurityProtocol.SASL_PLAINTEXT, "SCRAM-SHA-256").configure(hashMap);
        createChannelBuilder(SecurityProtocol.SASL_SSL, "PLAIN").configure(hashMap);
    }

    private SaslChannelBuilder createGssapiChannelBuilder(Map<String, JaasContext> map, final GSSManager gSSManager) {
        SaslChannelBuilder saslChannelBuilder = new SaslChannelBuilder(Mode.SERVER, map, SecurityProtocol.SASL_PLAINTEXT, new ListenerName("GSSAPI"), false, "GSSAPI", true, null, null, null, Time.SYSTEM, new LogContext(), defaultApiVersionsSupplier()) { // from class: org.apache.kafka.common.network.SaslChannelBuilderTest.1
            protected GSSManager gssManager() {
                return gSSManager;
            }
        };
        saslChannelBuilder.configure(new TestSecurityConfig(Collections.singletonMap("sasl.kerberos.service.name", "kafka")).values());
        return saslChannelBuilder;
    }

    private Supplier<ApiVersionsResponse> defaultApiVersionsSupplier() {
        return () -> {
            return ApiVersionsResponse.defaultApiVersionsResponse(ApiMessageType.ListenerType.ZK_BROKER);
        };
    }

    private SaslChannelBuilder createChannelBuilder(SecurityProtocol securityProtocol, String str) {
        Class cls;
        boolean z = -1;
        switch (str.hashCode()) {
            case -1875511693:
                if (str.equals("SCRAM-SHA-256")) {
                    z = true;
                    break;
                }
                break;
            case -1625286504:
                if (str.equals("OAUTHBEARER")) {
                    z = 2;
                    break;
                }
                break;
            case 76210602:
                if (str.equals("PLAIN")) {
                    z = false;
                    break;
                }
                break;
            case 2111859635:
                if (str.equals("GSSAPI")) {
                    z = 3;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                cls = PlainLoginModule.class;
                break;
            case true:
                cls = ScramLoginModule.class;
                break;
            case true:
                cls = OAuthBearerLoginModule.class;
                break;
            case true:
                cls = TestGssapiLoginModule.class;
                break;
            default:
                throw new IllegalArgumentException("Unsupported SASL mechanism " + str);
        }
        TestJaasConfig testJaasConfig = new TestJaasConfig();
        testJaasConfig.addEntry("jaasContext", cls.getName(), new HashMap());
        return new SaslChannelBuilder(Mode.CLIENT, Collections.singletonMap(str, new JaasContext("jaasContext", JaasContext.Type.SERVER, testJaasConfig, (Password) null)), securityProtocol, new ListenerName(str), false, str, true, (CredentialCache) null, (DelegationTokenCache) null, (String) null, Time.SYSTEM, new LogContext(), defaultApiVersionsSupplier());
    }
}
