package org.apache.nifi.web.security.knox;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.oauth2.sdk.auth.JWTAuthenticationClaimsSet;
import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.JWTID;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Provider;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang3.SystemUtils;
import org.apache.nifi.web.security.InvalidAuthenticationException;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.BeforeClass;
import org.junit.Test;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/nifi/web/security/knox/KnoxServiceTest.class */
public class KnoxServiceTest {
    private static final String AUDIENCE = "https://apache-knox/token";
    private static final String AUDIENCE_2 = "https://apache-knox-2/token";

    @BeforeClass
    public static void setupClass() {
        Assume.assumeTrue("Test only runs on *nix", !SystemUtils.IS_OS_WINDOWS);
    }

    @Test(expected = IllegalStateException.class)
    public void testKnoxSsoNotEnabledGetKnoxUrl() throws Exception {
        KnoxConfiguration knoxConfiguration = (KnoxConfiguration) Mockito.mock(KnoxConfiguration.class);
        Mockito.when(Boolean.valueOf(knoxConfiguration.isKnoxEnabled())).thenReturn(false);
        KnoxService knoxService = new KnoxService(knoxConfiguration);
        Assert.assertFalse(knoxService.isKnoxEnabled());
        knoxService.getKnoxUrl();
    }

    @Test(expected = IllegalStateException.class)
    public void testKnoxSsoNotEnabledGetAuthenticatedFromToken() throws Exception {
        KnoxConfiguration knoxConfiguration = (KnoxConfiguration) Mockito.mock(KnoxConfiguration.class);
        Mockito.when(Boolean.valueOf(knoxConfiguration.isKnoxEnabled())).thenReturn(false);
        KnoxService knoxService = new KnoxService(knoxConfiguration);
        Assert.assertFalse(knoxService.isKnoxEnabled());
        knoxService.getAuthenticationFromToken("jwt-token-value");
    }

    private JWTAuthenticationClaimsSet getAuthenticationClaimsSet(String str, String str2, Date date) {
        return new JWTAuthenticationClaimsSet(new ClientID(str), new Audience(str2).toSingleAudienceList(), date, (Date) null, (Date) null, new JWTID());
    }

    @Test
    public void testSignedJwt() throws Exception {
        Date date = new Date(System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(5L, TimeUnit.SECONDS));
        KeyPair generateKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        RSAPrivateKey rSAPrivateKey = (RSAPrivateKey) generateKeyPair.getPrivate();
        Assert.assertEquals("user-1", new KnoxService(getConfiguration((RSAPublicKey) generateKeyPair.getPublic())).getAuthenticationFromToken(new PrivateKeyJWT(getAuthenticationClaimsSet("user-1", AUDIENCE, date), JWSAlgorithm.RS256, rSAPrivateKey, (String) null, (Provider) null).getClientAssertion().serialize()));
    }

    @Test(expected = InvalidAuthenticationException.class)
    public void testBadSignedJwt() throws Exception {
        Date date = new Date(System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(5L, TimeUnit.SECONDS));
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        RSAPrivateKey rSAPrivateKey = (RSAPrivateKey) keyPairGenerator.generateKeyPair().getPrivate();
        new KnoxService(getConfiguration((RSAPublicKey) keyPairGenerator.generateKeyPair().getPublic())).getAuthenticationFromToken(new PrivateKeyJWT(getAuthenticationClaimsSet("user-1", AUDIENCE, date), JWSAlgorithm.RS256, rSAPrivateKey, (String) null, (Provider) null).getClientAssertion().serialize());
    }

    @Test(expected = ParseException.class)
    public void testPlainJwt() throws Exception {
        new KnoxService(getConfiguration((RSAPublicKey) KeyPairGenerator.getInstance("RSA").generateKeyPair().getPublic())).getAuthenticationFromToken(new PlainJWT(new JWTClaimsSet.Builder().subject("user-1").expirationTime(new Date(System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(5L, TimeUnit.SECONDS))).build()).serialize());
    }

    @Test(expected = InvalidAuthenticationException.class)
    public void testExpiredJwt() throws Exception {
        Date date = new Date(System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(1L, TimeUnit.SECONDS));
        KeyPair generateKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        RSAPrivateKey rSAPrivateKey = (RSAPrivateKey) generateKeyPair.getPrivate();
        RSAPublicKey rSAPublicKey = (RSAPublicKey) generateKeyPair.getPublic();
        Thread.sleep(TimeUnit.MILLISECONDS.convert(2L, TimeUnit.SECONDS));
        new KnoxService(getConfiguration(rSAPublicKey)).getAuthenticationFromToken(new PrivateKeyJWT(getAuthenticationClaimsSet("user-1", AUDIENCE, date), JWSAlgorithm.RS256, rSAPrivateKey, (String) null, (Provider) null).getClientAssertion().serialize());
    }

    @Test
    public void testRequiredAudience() throws Exception {
        Date date = new Date(System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(5L, TimeUnit.SECONDS));
        KeyPair generateKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        RSAPrivateKey rSAPrivateKey = (RSAPrivateKey) generateKeyPair.getPrivate();
        RSAPublicKey rSAPublicKey = (RSAPublicKey) generateKeyPair.getPublic();
        PrivateKeyJWT privateKeyJWT = new PrivateKeyJWT(getAuthenticationClaimsSet("user-1", AUDIENCE, date), JWSAlgorithm.RS256, rSAPrivateKey, (String) null, (Provider) null);
        KnoxConfiguration configuration = getConfiguration(rSAPublicKey);
        Mockito.when(configuration.getAudiences()).thenReturn((Object) null);
        Assert.assertEquals("user-1", new KnoxService(configuration).getAuthenticationFromToken(privateKeyJWT.getClientAssertion().serialize()));
    }

    @Test(expected = InvalidAuthenticationException.class)
    public void testInvalidAudience() throws Exception {
        Date date = new Date(System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(5L, TimeUnit.SECONDS));
        KeyPair generateKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        RSAPrivateKey rSAPrivateKey = (RSAPrivateKey) generateKeyPair.getPrivate();
        Assert.assertEquals("user-1", new KnoxService(getConfiguration((RSAPublicKey) generateKeyPair.getPublic())).getAuthenticationFromToken(new PrivateKeyJWT(getAuthenticationClaimsSet("user-1", "incorrect-audience", date), JWSAlgorithm.RS256, rSAPrivateKey, (String) null, (Provider) null).getClientAssertion().serialize()));
    }

    private KnoxConfiguration getConfiguration(RSAPublicKey rSAPublicKey) throws Exception {
        KnoxConfiguration knoxConfiguration = (KnoxConfiguration) Mockito.mock(KnoxConfiguration.class);
        Mockito.when(Boolean.valueOf(knoxConfiguration.isKnoxEnabled())).thenReturn(true);
        Mockito.when(knoxConfiguration.getKnoxUrl()).thenReturn("knox-sso-url");
        Mockito.when(knoxConfiguration.getKnoxCookieName()).thenReturn("knox-cookie-name");
        Mockito.when(knoxConfiguration.getAudiences()).thenReturn(Stream.of((Object[]) new String[]{AUDIENCE, AUDIENCE_2}).collect(Collectors.toSet()));
        Mockito.when(knoxConfiguration.getKnoxPublicKey()).thenReturn(rSAPublicKey);
        return knoxConfiguration;
    }
}
