package io.confluent.kafka.server.plugins.auth.token;

import io.confluent.kafka.clients.plugins.auth.jwt.JwtVerificationException;
import io.confluent.kafka.test.utils.TokenTestUtils;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.callback.Callback;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.internals.ConfluentConfigs;
import org.apache.kafka.common.security.authenticator.TestJaasConfig;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
import org.apache.kafka.test.TestUtils;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/token/TokenBearerValidatorCallbackHandlerTest.class */
public class TokenBearerValidatorCallbackHandlerTest {
    private TokenTestUtils.JwsContainer jwsContainer;
    private Map<String, Object> configs;
    private String defaultIssuer = "Confluent";
    private String defaultSubject = "Customer";
    private final Path tempDir = TestUtils.tempDirectory().toPath();

    @BeforeEach
    public void setUp() throws Exception {
        this.configs = new HashMap();
        this.configs.put(ConfluentConfigs.MULTITENANT_METADATA_DIR_CONFIG, this.tempDir.toRealPath(new LinkOption[0]).toString());
    }

    @AfterEach
    public void tearDown() {
    }

    @Test
    public void testAttachesJws() throws Exception {
        this.jwsContainer = TokenTestUtils.setUpJws(36000, this.defaultIssuer, this.defaultSubject);
        TokenBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        OAuthBearerValidatorCallback oAuthBearerValidatorCallback = new OAuthBearerValidatorCallback(this.jwsContainer.getJwsToken());
        createCallbackHandler.handle(new Callback[]{oAuthBearerValidatorCallback});
        Assertions.assertNotNull(oAuthBearerValidatorCallback.token());
        Assertions.assertEquals(this.jwsContainer.getJwsToken(), oAuthBearerValidatorCallback.token().value());
        Assertions.assertNull(oAuthBearerValidatorCallback.errorStatus());
    }

    @Test
    public void testConfigureRaisesExceptionWhenInvalidKeyPath() throws Exception {
        this.jwsContainer = TokenTestUtils.setUpJws(36000, this.defaultIssuer, this.defaultSubject);
        Map<String, String> baseOptions = baseOptions();
        baseOptions.put("publicKeyPath", this.jwsContainer.getPublicKeyFile().getAbsolutePath() + "/invalid!");
        Assertions.assertThrows(ConfigException.class, () -> {
            createCallbackHandler(baseOptions);
        });
    }

    @Test
    public void testRaisesJwtExceptionWhenInvalidJws() throws Exception {
        this.jwsContainer = TokenTestUtils.setUpJws(36000, this.defaultIssuer, this.defaultSubject);
        TokenTestUtils.writePemFile(this.jwsContainer.getPublicKeyFile(), TokenTestUtils.generateKeyPair().getPublic());
        TokenBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken());
        });
    }

    @Test
    public void testRaisesJwtExceptionWhenExpiredJws() throws Exception {
        this.jwsContainer = TokenTestUtils.setUpJws(50, this.defaultIssuer, this.defaultSubject);
        Thread.sleep(100L);
        TokenBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken());
        });
    }

    @Test
    public void testRaisesJwtExceptionIfDifferentIssuer() throws Exception {
        this.jwsContainer = TokenTestUtils.setUpJws(36000, "AWS", this.defaultSubject);
        TokenBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken());
        });
    }

    @Test
    public void testRaisesJwtExceptionIfMissingSubject() throws Exception {
        this.jwsContainer = TokenTestUtils.setUpJws(36000, this.defaultIssuer, null);
        TokenBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken());
        });
    }

    @Test
    public void testRaisesJwtExceptionIfNoExpirationTime() throws Exception {
        this.jwsContainer = TokenTestUtils.setUpJws(null, this.defaultIssuer, this.defaultSubject);
        TokenBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken());
        });
    }

    private TokenBearerValidatorCallbackHandler createCallbackHandler(Map<String, String> map) {
        TestJaasConfig testJaasConfig = new TestJaasConfig();
        testJaasConfig.createOrUpdateEntry("Kafka", "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule", map);
        TokenBearerValidatorCallbackHandler tokenBearerValidatorCallbackHandler = new TokenBearerValidatorCallbackHandler();
        tokenBearerValidatorCallbackHandler.configure(this.configs, "OAUTHBEARER", Collections.singletonList(testJaasConfig.getAppConfigurationEntry("Kafka")[0]));
        return tokenBearerValidatorCallbackHandler;
    }

    private Map<String, String> baseOptions() throws Exception {
        if (this.jwsContainer == null) {
            this.jwsContainer = TokenTestUtils.setUpJws(36000, this.defaultIssuer, this.defaultSubject);
        }
        HashMap hashMap = new HashMap();
        hashMap.put("publicKeyPath", this.jwsContainer.getPublicKeyFile().getAbsolutePath());
        hashMap.put("audience", String.join(",", new CharSequence[0]));
        return hashMap;
    }
}
