package io.confluent.kafka.server.plugins.auth;

import com.github.dockerjava.zerodep.shaded.org.apache.hc.client5.http.cookie.StandardCookieSpec;
import io.confluent.kafka.multitenant.MultiTenantPrincipal;
import io.confluent.security.rbac.Role;
import java.util.Collections;
import java.util.Map;
import java.util.Optional;
import javax.security.sasl.SaslException;
import org.apache.kafka.common.errors.SaslAuthenticationException;
import org.apache.kafka.common.security.authenticator.PathAwareSniHostName;
import org.apache.kafka.common.security.plain.internals.PlainServerCallbackHandler;
import org.apache.kafka.common.utils.Time;
import org.apache.kafka.server.audit.AuditEventStatus;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mindrot.jbcrypt.BCrypt;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/FileBasedPlainSaslAuthenticatorTest.class */
public class FileBasedPlainSaslAuthenticatorTest extends AbstractFileBasedPlainSaslAuthenticatorTest {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) FileBasedPlainSaslAuthenticatorTest.class);
    public static final String USER_ID_1 = "23";
    public static final String TENANT_NAME_1 = "lkc-bkey";
    public static final String CLUSTER_ID_1 = "lkc-bkey";

    @Override // io.confluent.kafka.server.plugins.auth.AbstractFileBasedPlainSaslAuthenticatorTest
    protected FileBasedPlainSaslAuthenticator createAuthenticator() {
        return new FileBasedPlainSaslAuthenticator();
    }

    @Test
    public void testHashedPasswordAuth() throws Exception {
        assertPrincipal("lkc-bkey_23", USER_ID_1, "lkc-bkey", "lkc-bkey", true, this.saslAuth.authenticate("bkey", "MKRWvhKV5Xd8VQ05JYre6f+aAq0UBXutZjsHWnQd/GYNR6DfqFeay+VNnReeTRpe", Optional.empty()));
    }

    @Test
    public void testPlainPasswordAuth() throws Exception {
        for (int i = 0; i < 3; i++) {
            assertPrincipal("confluent_7", "7", Role.NAMESPACE_CONFLUENT, Role.NAMESPACE_CONFLUENT, true, this.saslAuth.authenticate("pkey", "no hash", Optional.empty()));
        }
    }

    @Test
    public void testServiceAccountAuth() throws Exception {
        for (int i = 0; i < 3; i++) {
            MultiTenantPrincipal authenticate = this.saslAuth.authenticate("skey", "service secret", Optional.empty());
            Assertions.assertEquals("test_service_11", authenticate.getName());
            Assertions.assertEquals("11", authenticate.user());
            Assertions.assertEquals("test_service", authenticate.tenantMetadata().tenantName);
            Assertions.assertEquals("test_service", authenticate.tenantMetadata().clusterId);
            Assertions.assertFalse(authenticate.isSuperUser(false, false));
        }
    }

    @Test
    public void testInvalidUser() throws Exception {
        for (int i = 0; i < 3; i++) {
            try {
                this.saslAuth.authenticate("no_user", "blah", Optional.empty());
                Assertions.fail("Invalid user name should fail the authentication");
            } catch (SaslAuthenticationException e) {
                Assertions.assertEquals("Authentication failed", e.getMessage());
                Assertions.assertEquals(AuditEventStatus.UNKNOWN_USER_DENIED, e.errorInfo().auditEventStatus());
                Assertions.assertEquals("Unknown user no_user", e.errorInfo().errorMessage());
                Assertions.assertEquals("no_user", e.errorInfo().identifier());
                Assertions.assertEquals("", e.errorInfo().clusterId());
            }
        }
    }

    @Test
    public void testInvalidHashedPassword() throws Exception {
        for (int i = 0; i < 3; i++) {
            try {
                this.saslAuth.authenticate("bkey", "not right", Optional.empty());
                Assertions.fail("Invalid hashed password should fail the authentication");
            } catch (SaslAuthenticationException e) {
                Assertions.assertEquals("Authentication failed", e.getMessage());
                Assertions.assertEquals(AuditEventStatus.UNAUTHENTICATED, e.errorInfo().auditEventStatus());
                Assertions.assertEquals("Bad password for user bkey", e.errorInfo().errorMessage());
                Assertions.assertEquals("bkey", e.errorInfo().identifier());
                Assertions.assertEquals("lkc-bkey", e.errorInfo().clusterId());
            }
        }
    }

    @Test
    public void testInvalidPlainPassword() throws Exception {
        try {
            this.saslAuth.authenticate("pkey", "not right", Optional.empty());
            Assertions.fail("Invalid plain password should fail the authentication");
        } catch (SaslAuthenticationException e) {
            Assertions.assertEquals("Authentication failed", e.getMessage());
            Assertions.assertEquals(AuditEventStatus.UNAUTHENTICATED, e.errorInfo().auditEventStatus());
            Assertions.assertEquals("Bad password for user pkey", e.errorInfo().errorMessage());
            Assertions.assertEquals("pkey", e.errorInfo().identifier());
            Assertions.assertEquals(Role.NAMESPACE_CONFLUENT, e.errorInfo().clusterId());
        }
    }

    @Test
    public void testCheckpwPerSecond() throws Exception {
        Map.Entry<String, MultiTenantSaslConfigEntry> next = new MultiTenantSaslSecretsLoader(1).load(FileBasedPlainSaslAuthenticator.configEntryOption(this.jaasEntries, "config_path", FileBasedLoginModule.class.getName()), 100L, 100000000L).entries().entrySet().iterator().next();
        long j = 0;
        long milliseconds = Time.SYSTEM.milliseconds() + 1000;
        do {
            BCrypt.checkpw(next.getValue().userId(), next.getValue().hashedSecret());
            j++;
        } while (Time.SYSTEM.milliseconds() < milliseconds);
        double d = (milliseconds - r0) / 1000.0d;
        log.info("testCheckpwPerSecond: performed {} operations in {} seconds.  Average sec/op = {}", Long.valueOf(j), Double.valueOf(d), Double.valueOf(d / j));
    }

    @Test
    public void testServerFactory() throws SaslException {
        FileBasedSaslServerFactory fileBasedSaslServerFactory = new FileBasedSaslServerFactory();
        PlainServerCallbackHandler plainServerCallbackHandler = new PlainServerCallbackHandler();
        Map<String, ?> emptyMap = Collections.emptyMap();
        plainServerCallbackHandler.configure(emptyMap, "PLAIN", this.jaasEntries);
        Assertions.assertNotNull((PlainSaslServer) fileBasedSaslServerFactory.createSaslServer("PLAIN", "", "", emptyMap, plainServerCallbackHandler), "Server not created");
    }

    @Test
    public void testPKCClusterIdShouldAuthenticateUserInLegacyMode() throws Exception {
        setAuthenticatorValidationMode("allow_legacy_bootstrap");
        assertPrincipal("lkc-bkey_23", USER_ID_1, "lkc-bkey", "lkc-bkey", true, this.saslAuth.authenticate("bkey", "MKRWvhKV5Xd8VQ05JYre6f+aAq0UBXutZjsHWnQd/GYNR6DfqFeay+VNnReeTRpe", Optional.of(new PathAwareSniHostName("pkc-12345.wrong.host.name"))));
    }

    @Test
    public void testIncorrectClusterIdShouldAuthenticateUserInOptionalMode() throws Exception {
        setAuthenticatorValidationMode("optional_validation");
        assertPrincipal("lkc-bkey_23", USER_ID_1, "lkc-bkey", "lkc-bkey", true, this.saslAuth.authenticate("bkey", "MKRWvhKV5Xd8VQ05JYre6f+aAq0UBXutZjsHWnQd/GYNR6DfqFeay+VNnReeTRpe", Optional.of(new PathAwareSniHostName("wrong.host.name"))));
    }

    @Test
    public void testIncorrectClusterIdShouldFailAuthenticationInStrictMode() throws Exception {
        setAuthenticatorValidationMode(StandardCookieSpec.STRICT);
        try {
            this.saslAuth.authenticate("bkey", "MKRWvhKV5Xd8VQ05JYre6f+aAq0UBXutZjsHWnQd/GYNR6DfqFeay+VNnReeTRpe", Optional.of(new PathAwareSniHostName("lkc-wrong-00aa.host.name")));
            Assertions.fail("Incorrect cluster Id should fail the authentication.");
        } catch (SaslAuthenticationException e) {
            Assertions.assertEquals("Authentication failed", e.getMessage());
            Assertions.assertEquals(AuditEventStatus.UNAUTHENTICATED, e.errorInfo().auditEventStatus());
            Assertions.assertEquals(String.format("SNI cluster ID: %s does not match API key cluster ID %s for user name: %s", "lkc-wrong", "lkc-bkey", "bkey"), e.errorInfo().errorMessage());
            Assertions.assertEquals("bkey", e.errorInfo().identifier());
            Assertions.assertEquals("lkc-bkey", e.errorInfo().clusterId());
        }
    }

    @Test
    public void testCorrectClusterIdShouldAuthenticateUser() throws Exception {
        setAuthenticatorValidationMode(StandardCookieSpec.STRICT);
        assertPrincipal("lkc-bkey_23", USER_ID_1, "lkc-bkey", "lkc-bkey", true, this.saslAuth.authenticate("bkey", "MKRWvhKV5Xd8VQ05JYre6f+aAq0UBXutZjsHWnQd/GYNR6DfqFeay+VNnReeTRpe", Optional.of(new PathAwareSniHostName("lkc-bkey-0aa.rufus.confluent.cloud"))));
    }

    @Test
    public void testUnrecognizedUserShouldReturnEmptyClusterId() throws SaslException {
        Assertions.assertEquals(Optional.of("lkc-bkey"), this.saslAuth.clusterId("bkey"));
        Assertions.assertEquals(Optional.empty(), this.saslAuth.clusterId("no-user"));
    }

    private void assertPrincipal(String str, String str2, String str3, String str4, boolean z, MultiTenantPrincipal multiTenantPrincipal) {
        Assertions.assertEquals(str, multiTenantPrincipal.getName());
        Assertions.assertEquals(str2, multiTenantPrincipal.user());
        Assertions.assertEquals(str3, multiTenantPrincipal.tenantMetadata().tenantName);
        Assertions.assertEquals(str4, multiTenantPrincipal.tenantMetadata().clusterId);
        Assertions.assertEquals(Boolean.valueOf(z), Boolean.valueOf(multiTenantPrincipal.isSuperUser(false, false)));
    }

    @Override // io.confluent.kafka.server.plugins.auth.AbstractFileBasedPlainSaslAuthenticatorTest
    @BeforeEach
    public /* bridge */ /* synthetic */ void setUp() throws Exception {
        super.setUp();
    }
}
