package org.apache.qpid.server.security.auth.manager;

import java.net.URL;
import java.net.URLDecoder;
import java.util.Base64;
import java.util.Map;
import org.apache.qpid.server.security.TokenCarryingPrincipal;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.test.EmbeddedKdcResource;
import org.apache.qpid.server.test.KerberosUtilities;
import org.apache.qpid.test.utils.JvmVendor;
import org.apache.qpid.test.utils.SystemPropertySetter;
import org.apache.qpid.test.utils.UnitTestBase;
import org.hamcrest.Matchers;
import org.ietf.jgss.GSSException;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.mockito.Mockito;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/security/auth/manager/SpnegoAuthenticatorTest.class */
public class SpnegoAuthenticatorTest extends UnitTestBase {
    private static final String CLIENT_NAME = "client";
    private static final String SERVER_NAME = "AMQP/localhost";
    private static final String ANOTHER_SERVICE = "foo/localhost";
    private static final String LOGIN_CONFIG = "login.config";
    private SpnegoAuthenticator _spnegoAuthenticator;
    private KerberosAuthenticationManager _kerberosAuthenticationManager;
    private static final Logger LOGGER = LoggerFactory.getLogger(SpnegoAuthenticatorTest.class);
    private static final KerberosUtilities UTILS = new KerberosUtilities();
    private static final String REALM = "QPID.ORG";

    @ClassRule
    public static final EmbeddedKdcResource KDC = new EmbeddedKdcResource(REALM);

    @ClassRule
    public static final SystemPropertySetter SYSTEM_PROPERTY_SETTER = new SystemPropertySetter();

    @BeforeClass
    public static void createKeyTabs() throws Exception {
        Assume.assumeThat(getJvmVendor(), Matchers.not(JvmVendor.IBM));
        KDC.createPrincipal("broker.keytab", "AMQP/localhost@QPID.ORG");
        KDC.createPrincipal("client.keytab", "client@QPID.ORG");
        KDC.createPrincipal("another.keytab", "foo/localhost@QPID.ORG");
        URL resource = KerberosAuthenticationManagerTest.class.getClassLoader().getResource(LOGIN_CONFIG);
        LOGGER.debug("JAAS config:" + resource);
        Assert.assertNotNull(resource);
        SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config", URLDecoder.decode(resource.getPath(), "UTF-8"));
        SYSTEM_PROPERTY_SETTER.setSystemProperty("javax.security.auth.useSubjectCredsOnly", "false");
    }

    @Before
    public void setUp() {
        this._kerberosAuthenticationManager = (KerberosAuthenticationManager) Mockito.mock(KerberosAuthenticationManager.class);
        Mockito.when(this._kerberosAuthenticationManager.getSpnegoLoginConfigScope()).thenReturn("com.sun.security.jgss.accept");
        Mockito.when(Boolean.valueOf(this._kerberosAuthenticationManager.isStripRealmFromPrincipalName())).thenReturn(true);
        this._spnegoAuthenticator = new SpnegoAuthenticator(this._kerberosAuthenticationManager);
    }

    @Test
    public void testAuthenticate() throws GSSException {
        AuthenticationResult authenticate = this._spnegoAuthenticator.authenticate("Negotiate " + Base64.getEncoder().encodeToString(buildToken(SERVER_NAME)));
        Assert.assertNotNull(authenticate);
        Assert.assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, authenticate.getStatus());
        TokenCarryingPrincipal mainPrincipal = authenticate.getMainPrincipal();
        Assert.assertTrue(mainPrincipal instanceof TokenCarryingPrincipal);
        Assert.assertEquals(CLIENT_NAME, mainPrincipal.getName());
        Map tokens = mainPrincipal.getTokens();
        Assert.assertNotNull(tokens);
        Assert.assertTrue(tokens.containsKey("WWW-Authenticate"));
    }

    @Test
    public void testAuthenticateNoAuthenticationHeader() {
        AuthenticationResult authenticate = this._spnegoAuthenticator.authenticate((String) null);
        Assert.assertNotNull(authenticate);
        Assert.assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, authenticate.getStatus());
    }

    @Test
    public void testAuthenticateNoNegotiatePrefix() throws GSSException {
        AuthenticationResult authenticate = this._spnegoAuthenticator.authenticate(Base64.getEncoder().encodeToString(buildToken(SERVER_NAME)));
        Assert.assertNotNull(authenticate);
        Assert.assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, authenticate.getStatus());
    }

    @Test
    public void testAuthenticateEmptyToken() {
        AuthenticationResult authenticate = this._spnegoAuthenticator.authenticate("Negotiate ");
        Assert.assertNotNull(authenticate);
        Assert.assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, authenticate.getStatus());
    }

    @Test
    public void testAuthenticateInvalidToken() {
        AuthenticationResult authenticate = this._spnegoAuthenticator.authenticate("Negotiate Zm9v");
        Assert.assertNotNull(authenticate);
        Assert.assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, authenticate.getStatus());
    }

    @Test
    public void testAuthenticateWrongConfigName() throws GSSException {
        Mockito.when(this._kerberosAuthenticationManager.getSpnegoLoginConfigScope()).thenReturn("foo");
        AuthenticationResult authenticate = this._spnegoAuthenticator.authenticate("Negotiate " + Base64.getEncoder().encodeToString(buildToken(SERVER_NAME)));
        Assert.assertNotNull(authenticate);
        Assert.assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, authenticate.getStatus());
    }

    @Test
    public void testAuthenticateWrongServer() throws GSSException {
        AuthenticationResult authenticate = this._spnegoAuthenticator.authenticate("Negotiate " + Base64.getEncoder().encodeToString(buildToken(ANOTHER_SERVICE)));
        Assert.assertNotNull(authenticate);
        Assert.assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, authenticate.getStatus());
    }

    private byte[] buildToken(String str) throws GSSException {
        return UTILS.buildToken(CLIENT_NAME, str);
    }
}
