package io.confluent.security.auth.dataplane;

import io.confluent.kafka.server.plugins.auth.oauth.KafkaVerificationKeyResolver;
import io.confluent.kafka.server.plugins.auth.oauth.MockBasicAuthStore;
import io.confluent.kafka.server.plugins.auth.oauth.MockTrustCache;
import io.confluent.kafka.test.utils.KafkaTestUtils;
import io.confluent.security.authentication.oauthbearer.AlgorithmWhitelist;
import io.confluent.security.authentication.oauthbearer.ConstrainedVerificationKeyResolver;
import io.confluent.security.authentication.oauthbearer.JwksTestFixture;
import io.confluent.security.authentication.oauthbearer.KeyConstraintException;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.test.utils.JwtTestUtils;
import java.util.ArrayList;
import java.util.Collections;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.lang.JoseException;
import org.jose4j.lang.UnresolvableKeyException;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/security/auth/dataplane/KafkaVerificationKeyResolverTest.class */
public class KafkaVerificationKeyResolverTest {
    private ConstrainedVerificationKeyResolver keyResolver;
    private MockBasicAuthStore authStore;
    private MockTrustCache authCache;
    private final Scope orgA = new Scope.Builder("org=OrgA").build();
    private final String jwtIssuerA = "https://test-issuer-a.com";
    private JsonWebKeySet jwks = JwtTestUtils.jsonWebKeySet();

    @BeforeEach
    public void setUp() throws Exception {
        createAuthStore();
        this.keyResolver = new ConstrainedVerificationKeyResolver(new KafkaVerificationKeyResolver("https://test-issuer-a.com", "uuid"), Collections.singleton(new AlgorithmWhitelist(JwksTestFixture.getStaticConfig().algorithmWhitelist())));
        JwtTestUtils.updateJwtIssuer(this.authCache, "https://test-issuer-a.com", this.jwks, this.orgA);
    }

    @AfterEach
    public void tearDown() {
        if (this.authStore != null) {
            this.authStore.close();
        }
        KafkaTestUtils.verifyThreadCleanup();
    }

    private void createAuthStore() throws Exception {
        this.authStore = MockBasicAuthStore.create();
        this.authCache = (MockTrustCache) this.authStore.trustCache();
    }

    @Test
    public void testResolveKey() throws JoseException {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer("https://test-issuer-a.com");
        jsonWebSignature.setPayload(jwtClaims.toJson());
        jsonWebSignature.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
        jsonWebSignature.setKeyIdHeaderValue("568ed7c4-e11a-64b2-5371-36c5b2ae2dcb");
        Assertions.assertNotNull(this.keyResolver.resolveKey(jsonWebSignature, new ArrayList()));
    }

    @Test
    public void testUnResolveKeyInvalidKid() throws JoseException {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
        jsonWebSignature.setKeyIdHeaderValue("k1");
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer("https://test-issuer-a.com");
        jsonWebSignature.setPayload(jwtClaims.toJson());
        Assertions.assertTrue(((Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.keyResolver.resolveKey(jsonWebSignature, new ArrayList());
        })).getMessage().contains("\"kid\":\"k1\""));
    }

    @Test
    public void testUnResolveKeyNoKid() throws JoseException {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer("https://test-issuer-a.com");
        jsonWebSignature.setPayload(jwtClaims.toJson());
        Assertions.assertTrue(((Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.keyResolver.resolveKey(jsonWebSignature, new ArrayList());
        })).getMessage().contains("Cannot find kid field in the token"));
    }

    @Test
    public void testResolveKeyAlgorithmNotWhiteListed() {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256);
        jsonWebSignature.setKeyIdHeaderValue("43eeb8e1-6f06-551a-9017-92885575f0a1");
        Exception exc = (Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.keyResolver.resolveKey(jsonWebSignature, new ArrayList());
        });
        Assertions.assertTrue(exc.getCause() instanceof KeyConstraintException);
        Assertions.assertTrue(exc.getCause().getMessage().contains(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256));
    }

    public void testResolveKeyInValidIssuer() throws JoseException {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
        jsonWebSignature.setKeyIdHeaderValue("43eeb8e1-6f06-551a-9017-92885575f0a1");
        Assertions.assertTrue(((Exception) Assertions.assertThrows(UnresolvableKeyException.class, () -> {
            this.keyResolver.resolveKey(jsonWebSignature, new ArrayList());
        })).getMessage().contains("Invalid issuer"));
    }
}
