package io.confluent.kafka.server.plugins.auth;

import io.confluent.kafka.multitenant.MultiTenantPrincipal;
import io.confluent.kafka.multitenant.TenantMetadata;
import io.confluent.kafka.server.plugins.auth.stats.AuthenticationStats;
import java.lang.management.ManagementFactory;
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import javax.management.MBeanAttributeInfo;
import javax.management.MBeanInfo;
import javax.management.MBeanServer;
import javax.management.ObjectInstance;
import javax.management.ObjectName;
import javax.management.QueryExp;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.sasl.SaslException;
import org.apache.kafka.common.errors.SaslAuthenticationException;
import org.apache.kafka.server.audit.AuditEventStatus;
import org.glassfish.jersey.internal.l10n.Localizable;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/PlainSaslServerTest.class */
public class PlainSaslServerTest {
    private List<AppConfigurationEntry> jaasEntries;
    private SaslAuthenticator mockSaslAuth;
    private PlainSaslServer saslServer;
    private static AuthenticationStats stats = AuthenticationStats.getInstance();

    @BeforeEach
    public void setUp() throws Exception {
        this.jaasEntries = Collections.emptyList();
        this.mockSaslAuth = (SaslAuthenticator) Mockito.mock(SaslAuthenticator.class);
        Mockito.when(this.mockSaslAuth.clusterId((String) ArgumentMatchers.any())).thenReturn(Optional.of("test-cluster"));
        this.saslServer = new PlainSaslServer(this.jaasEntries, this.mockSaslAuth, null);
        stats.reset();
    }

    @Test
    public void shouldNotAllowImpersonation() throws Exception {
        try {
            this.saslServer.evaluateResponse("impersonating��foo��bar".getBytes());
            Assertions.fail();
        } catch (SaslAuthenticationException e) {
            Assertions.assertTrue(e.getMessage().contains("Client requested an authorization id that is different from username"));
            verifyErrorInfo(e, AuditEventStatus.UNAUTHENTICATED, "foo");
        }
    }

    @Test
    public void authSucceedsWithMetrics() throws Exception {
        configureUser("foo", "bar", "tenant1");
        this.saslServer.evaluateResponse("��foo��bar".getBytes());
        Assertions.assertEquals("foo", this.saslServer.getAuthorizationID());
        Assertions.assertEquals("foo", this.saslServer.authenticationId());
        Assertions.assertEquals(1L, stats.getSucceeded());
        Assertions.assertEquals(0L, stats.getFailed());
        Assertions.assertEquals(1L, stats.getTotal());
    }

    @Test
    public void authFailsWithMetrics() throws Exception {
        ((SaslAuthenticator) Mockito.doThrow(new Throwable[]{new SaslException("Top level msg", new Exception("Detailed cause"))}).when(this.mockSaslAuth)).authenticate("foo", "bar", Optional.empty());
        try {
            this.saslServer.evaluateResponse("��foo��bar".getBytes());
            Assertions.fail();
        } catch (SaslException e) {
        }
        Assertions.assertEquals(0L, stats.getSucceeded());
        Assertions.assertEquals(1L, stats.getFailed());
        Assertions.assertEquals(1L, stats.getTotal());
    }

    @Test
    public void nullCauseIsOK() throws Exception {
        ((SaslAuthenticator) Mockito.doThrow(new Throwable[]{new SaslException("Top level msg", (Throwable) null)}).when(this.mockSaslAuth)).authenticate("foo", "bar", Optional.empty());
        try {
            this.saslServer.evaluateResponse("��foo��bar".getBytes());
            Assertions.fail();
        } catch (SaslException e) {
        }
        Assertions.assertEquals(0L, stats.getSucceeded());
        Assertions.assertEquals(1L, stats.getFailed());
        Assertions.assertEquals(1L, stats.getTotal());
    }

    @Test
    public void parseFailsWithMetrics() throws Exception {
        try {
            this.saslServer.evaluateResponse("garbage".getBytes());
            Assertions.fail();
        } catch (SaslAuthenticationException e) {
        }
        Assertions.assertEquals(0L, stats.getSucceeded());
        Assertions.assertEquals(1L, stats.getFailed());
        Assertions.assertEquals(1L, stats.getTotal());
    }

    @Test
    public void metricsInJMX() throws Exception {
        configureUser("foo", "bar", "tenant1");
        for (int i = 0; i < 7; i++) {
            this.saslServer.evaluateResponse("��foo��bar".getBytes());
        }
        MBeanServer platformMBeanServer = ManagementFactory.getPlatformMBeanServer();
        Set queryMBeans = platformMBeanServer.queryMBeans(new ObjectName("io.confluent.kafka.server.plugins:type=Authentication"), (QueryExp) null);
        Assertions.assertEquals(1, queryMBeans.size());
        ObjectInstance objectInstance = (ObjectInstance) queryMBeans.toArray()[0];
        MBeanInfo mBeanInfo = platformMBeanServer.getMBeanInfo(objectInstance.getObjectName());
        HashMap hashMap = new HashMap();
        for (MBeanAttributeInfo mBeanAttributeInfo : mBeanInfo.getAttributes()) {
            hashMap.put(mBeanAttributeInfo.getName(), platformMBeanServer.getAttribute(objectInstance.getObjectName(), mBeanAttributeInfo.getName()));
        }
        Assertions.assertEquals(7L, hashMap.get("Succeeded"));
        Assertions.assertEquals(0L, hashMap.get("Failed"));
        Assertions.assertEquals(7L, hashMap.get("Total"));
    }

    @Test
    public void emptyTokens() {
        SaslAuthenticationException saslAuthenticationException = (SaslAuthenticationException) Assertions.assertThrows(SaslAuthenticationException.class, () -> {
            this.saslServer.evaluateResponse(saslMessage("", "", ""));
        });
        Assertions.assertEquals("Authentication failed: username not specified", saslAuthenticationException.getMessage());
        verifyErrorInfo(saslAuthenticationException, AuditEventStatus.UNKNOWN_USER_DENIED, "");
        SaslAuthenticationException saslAuthenticationException2 = (SaslAuthenticationException) Assertions.assertThrows(SaslAuthenticationException.class, () -> {
            this.saslServer.evaluateResponse(saslMessage("", "", "p"));
        });
        Assertions.assertEquals("Authentication failed: username not specified", saslAuthenticationException2.getMessage());
        verifyErrorInfo(saslAuthenticationException2, AuditEventStatus.UNKNOWN_USER_DENIED, "");
        SaslAuthenticationException saslAuthenticationException3 = (SaslAuthenticationException) Assertions.assertThrows(SaslAuthenticationException.class, () -> {
            this.saslServer.evaluateResponse(saslMessage("", "u", ""));
        });
        Assertions.assertEquals("Authentication failed: password not specified", saslAuthenticationException3.getMessage());
        verifyErrorInfo(saslAuthenticationException3, AuditEventStatus.UNAUTHENTICATED, "u");
        SaslAuthenticationException saslAuthenticationException4 = (SaslAuthenticationException) Assertions.assertThrows(SaslAuthenticationException.class, () -> {
            this.saslServer.evaluateResponse(saslMessage("a", "", ""));
        });
        Assertions.assertEquals("Authentication failed: username not specified", saslAuthenticationException4.getMessage());
        verifyErrorInfo(saslAuthenticationException4, AuditEventStatus.UNKNOWN_USER_DENIED, "");
        SaslAuthenticationException saslAuthenticationException5 = (SaslAuthenticationException) Assertions.assertThrows(SaslAuthenticationException.class, () -> {
            this.saslServer.evaluateResponse(saslMessage("a", "", "p"));
        });
        Assertions.assertEquals("Authentication failed: username not specified", saslAuthenticationException5.getMessage());
        verifyErrorInfo(saslAuthenticationException5, AuditEventStatus.UNKNOWN_USER_DENIED, "");
        SaslAuthenticationException saslAuthenticationException6 = (SaslAuthenticationException) Assertions.assertThrows(SaslAuthenticationException.class, () -> {
            this.saslServer.evaluateResponse(saslMessage("a", "u", ""));
        });
        Assertions.assertEquals("Authentication failed: password not specified", saslAuthenticationException6.getMessage());
        verifyErrorInfo(saslAuthenticationException6, AuditEventStatus.UNAUTHENTICATED, "u");
        String str = Localizable.NOT_LOCALIZABLE;
        SaslAuthenticationException saslAuthenticationException7 = (SaslAuthenticationException) Assertions.assertThrows(SaslAuthenticationException.class, () -> {
            this.saslServer.evaluateResponse(String.format("%s%s%s%s%s%s", "a", str, "u", str, "p", str).getBytes(StandardCharsets.UTF_8));
        });
        Assertions.assertEquals("Invalid SASL/PLAIN response: expected 3 tokens, got 4", saslAuthenticationException7.getMessage());
        verifyErrorInfo(saslAuthenticationException7, AuditEventStatus.UNKNOWN_USER_DENIED, "");
        SaslAuthenticationException saslAuthenticationException8 = (SaslAuthenticationException) Assertions.assertThrows(SaslAuthenticationException.class, () -> {
            this.saslServer.evaluateResponse(String.format("%s%s%s", "", str, "u").getBytes(StandardCharsets.UTF_8));
        });
        Assertions.assertEquals("Invalid SASL/PLAIN response: expected 3 tokens, got 2", saslAuthenticationException8.getMessage());
        verifyErrorInfo(saslAuthenticationException8, AuditEventStatus.UNKNOWN_USER_DENIED, "");
    }

    private void verifyErrorInfo(SaslAuthenticationException saslAuthenticationException, AuditEventStatus auditEventStatus, String str) {
        Assertions.assertEquals(auditEventStatus, saslAuthenticationException.errorInfo().auditEventStatus());
        Assertions.assertEquals(str, saslAuthenticationException.errorInfo().identifier());
        if (AuditEventStatus.UNAUTHENTICATED == auditEventStatus) {
            Assertions.assertEquals("test-cluster", saslAuthenticationException.errorInfo().clusterId());
        }
    }

    private void configureUser(final String str, String str2, final String str3) throws SaslException {
        ((SaslAuthenticator) Mockito.doAnswer(new Answer<MultiTenantPrincipal>() { // from class: io.confluent.kafka.server.plugins.auth.PlainSaslServerTest.1
            /* renamed from: answer, reason: merged with bridge method [inline-methods] */
            public MultiTenantPrincipal m2203answer(InvocationOnMock invocationOnMock) throws Throwable {
                return new MultiTenantPrincipal(str, new TenantMetadata(str3, str3));
            }
        }).when(this.mockSaslAuth)).authenticate(str, str2, Optional.empty());
    }

    private byte[] saslMessage(String str, String str2, String str3) {
        return String.format("%s%s%s%s%s", str, Localizable.NOT_LOCALIZABLE, str2, Localizable.NOT_LOCALIZABLE, str3).getBytes(StandardCharsets.UTF_8);
    }
}
