package io.confluent.kafka.server.plugins.auth.oauth;

import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.datatype.jdk8.Jdk8Module;
import com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderConfigurationRequest;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticatorConfig;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtVerificationException;
import io.confluent.kafka.common.multitenant.oauth.OAuthBearerJwsToken;
import io.confluent.kafka.multitenant.PhysicalClusterMetadata;
import io.confluent.kafka.multitenant.Utils;
import io.confluent.kafka.server.plugins.auth.SniValidationMode;
import io.confluent.kafka.server.plugins.auth.oauth.OAuthUtils;
import io.confluent.security.authentication.oidc.MetadataResponse;
import io.confluent.security.fixtures.http.JerseyHttpService;
import io.confluent.security.fixtures.jwt.TestJwkProvider;
import io.confluent.security.fixtures.jwt.TestJwtProvider;
import java.io.IOException;
import java.net.URI;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import javax.security.auth.callback.Callback;
import kafka.server.KafkaConfig;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.internals.ConfluentConfigs;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.SaslExtensions;
import org.apache.kafka.common.security.authenticator.SaslServerAuthenticator;
import org.apache.kafka.common.security.authenticator.TestJaasConfig;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerExtensionsValidatorCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
import org.apache.kafka.test.TestUtils;
import org.glassfish.jersey.internal.inject.AbstractBinder;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/oauth/OAuthBearerValidatorCallbackHandlerTest.class */
public class OAuthBearerValidatorCallbackHandlerTest {
    private static final String DEFAULT_ISSUER = "Confluent";
    private static final String DEFAULT_SUBJECT = "Customer";
    private OAuthUtils.JwsContainer jwsContainer;
    private PhysicalClusterMetadata metadata;
    private Map<String, Object> configs;
    private String brokerUUID;
    private static JerseyHttpService server;
    private static URI providerURI;
    private static ObjectMapper objectMapper;
    private static TestJwkProvider jwks;
    private static MetadataResponse providerContext;
    private Path tempDir;
    private static final List<String> ALLOWED_LOGICAL_CLUSTERS = Collections.singletonList(Utils.LC_META_ABC.logicalClusterId());
    private static final String ORG_RESOURCE_ID = Utils.LC_META_ABC.organizationId();
    private static final OAuthBearerJwsToken TOKEN_MOCK = new OAuthBearerJwsToken("", new HashSet(Arrays.asList(ORG_RESOURCE_ID)), 0, "", 0L, Collections.singletonMap("orgResourceId", ORG_RESOURCE_ID));
    private static final OAuthBearerJwsToken INVALID_ORG_TOKEN_MOCK = new OAuthBearerJwsToken("", new HashSet(Arrays.asList("org_1")), 0, "", 0L, Collections.singletonMap("orgResourceId", "org_1"));
    private static final String[] DEFAULT_ALLOWED_CLUSTERS = {Utils.LC_META_ABC.logicalClusterId()};

    @BeforeAll
    public static void setUpStaticResources() throws Exception {
        objectMapper = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false).registerModule(new Jdk8Module());
        jwks = new TestJwkProvider();
        server = new JerseyHttpService(new Consumer[]{resourceConfig -> {
            resourceConfig.register(TestJwtProvider.class);
            resourceConfig.register2((Object) new JacksonJaxbJsonProvider(objectMapper, JacksonJaxbJsonProvider.DEFAULT_ANNOTATIONS));
            resourceConfig.register2((Object) new AbstractBinder() { // from class: io.confluent.kafka.server.plugins.auth.oauth.OAuthBearerValidatorCallbackHandlerTest.1
                @Override // org.glassfish.jersey.internal.inject.AbstractBinder
                protected void configure() {
                    bind((AnonymousClass1) OAuthBearerValidatorCallbackHandlerTest.jwks).to(TestJwkProvider.class);
                }
            });
        }});
        server.start();
        providerURI = server.getURI();
        providerContext = (MetadataResponse) objectMapper.readValue(providerURI.resolve(OIDCProviderConfigurationRequest.OPENID_PROVIDER_WELL_KNOWN_PATH).toURL(), MetadataResponse.class);
    }

    @AfterAll
    public static void tearDownResources() throws Exception {
        if (server != null) {
            server.stop();
            server = null;
            providerURI = null;
            jwks = null;
            objectMapper = null;
            providerContext = null;
        }
    }

    @BeforeEach
    public void setUp() throws Exception {
        this.tempDir = TestUtils.tempDirectory().toPath();
        this.brokerUUID = "uuid";
        this.configs = new HashMap();
        this.configs.put(KafkaConfig.BrokerSessionUuidProp(), this.brokerUUID);
        this.configs.put(ConfluentConfigs.MULTITENANT_METADATA_DIR_CONFIG, this.tempDir.toRealPath(new LinkOption[0]).toString());
        this.metadata = Utils.initiatePhysicalClusterMetadata(this.configs);
        Utils.createLogicalClusterFile(Utils.LC_META_ABC, this.tempDir);
        TestUtils.waitForCondition(() -> {
            return this.metadata.metadata(Utils.LC_META_ABC.logicalClusterId()) != null;
        }, "Expected metadata of new logical cluster to be present in metadata cache");
    }

    @AfterEach
    public void tearDown() {
        this.metadata.close(this.brokerUUID);
    }

    @Test
    public void testAttachesJws() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(36000, "Confluent", DEFAULT_SUBJECT, ORG_RESOURCE_ID).build();
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        OAuthBearerValidatorCallback oAuthBearerValidatorCallback = new OAuthBearerValidatorCallback(this.jwsContainer.getJwsToken());
        createCallbackHandler.handle(new Callback[]{oAuthBearerValidatorCallback});
        Assertions.assertNotNull(oAuthBearerValidatorCallback.token());
        Assertions.assertEquals(this.jwsContainer.getJwsToken(), oAuthBearerValidatorCallback.token().value());
        Assertions.assertNull(oAuthBearerValidatorCallback.errorStatus());
    }

    @Test
    public void testPopulatesInvalidExtensionsWhenNoLogicalClusterMetadata() throws Exception {
        deleteLogicalClusterMetadata();
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        HashMap hashMap = new HashMap();
        hashMap.put(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY, Utils.LC_META_ABC.logicalClusterId());
        OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifyFailedAuthenticationDueToLogicalClusterNotMatched(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterExtensionsValidatedWhenTheyMatchTokensLogicalClusterAndIsHostedOnBroker() throws Exception {
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        HashMap hashMap = new HashMap();
        hashMap.put(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY, ALLOWED_LOGICAL_CLUSTERS.get(0));
        OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifySuccessfulAuthentication(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterExtensionsValidatedWhenTheyStartWithPkcLegacySniValidationMode() throws Exception {
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions(), SniValidationMode.ALLOW_LEGACY_BOOTSTRAP);
        HashMap hashMap = new HashMap();
        hashMap.put(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY, ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put(SaslServerAuthenticator.SNI_BROKER_HOST_NAME_SASL_PROPERTY_KEY, "pkc-wrong-123.confluent.io");
        OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifySuccessfulAuthentication(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterNoBelongToOrg() throws Exception {
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions(), SniValidationMode.ALLOW_LEGACY_BOOTSTRAP);
        HashMap hashMap = new HashMap();
        hashMap.put(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY, ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put(SaslServerAuthenticator.SNI_BROKER_HOST_NAME_SASL_PROPERTY_KEY, "pkc-wrong-123.confluent.io");
        OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(INVALID_ORG_TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifyFailedAuthenticationDueToLogicalClusterNotMatched(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterExtensionsValidatedWhenTheyMatchTokensLogicalClusterLegacySniValidationMode() throws Exception {
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions(), SniValidationMode.ALLOW_LEGACY_BOOTSTRAP);
        HashMap hashMap = new HashMap();
        hashMap.put(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY, ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put(SaslServerAuthenticator.SNI_BROKER_HOST_NAME_SASL_PROPERTY_KEY, Utils.LC_META_ABC.logicalClusterId() + "-123.confluent.io");
        OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifySuccessfulAuthentication(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterExtensionsFailedWhenNotProvidedLegacySniValidationMode() throws Exception {
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions(), SniValidationMode.ALLOW_LEGACY_BOOTSTRAP);
        HashMap hashMap = new HashMap();
        hashMap.put(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY, ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put(SaslServerAuthenticator.SNI_BROKER_HOST_NAME_SASL_PROPERTY_KEY, null);
        OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifyFailedAuthenticationDueToSniHostNameNotMatched(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterExtensionsFailedWhenTheyNotMatchTokensLogicalClusterLegacySniValidationMode() throws Exception {
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions(), SniValidationMode.ALLOW_LEGACY_BOOTSTRAP);
        HashMap hashMap = new HashMap();
        hashMap.put(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY, ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put(SaslServerAuthenticator.SNI_BROKER_HOST_NAME_SASL_PROPERTY_KEY, "lkc-wrong-123.confluent.io");
        OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifyFailedAuthenticationDueToSniHostNameNotMatched(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterExtensionsValidatedWhenTheyMatchTokensLogicalClusterStrictSniValidationMode() throws Exception {
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions(), SniValidationMode.STRICT);
        HashMap hashMap = new HashMap();
        hashMap.put(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY, ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put(SaslServerAuthenticator.SNI_BROKER_HOST_NAME_SASL_PROPERTY_KEY, Utils.LC_META_ABC.logicalClusterId() + "-123.confluent.io");
        OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifySuccessfulAuthentication(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterExtensionsFailedWhenSNIHostNameNotMatchingStrictSniValidationMode() throws Exception {
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions(), SniValidationMode.STRICT);
        HashMap hashMap = new HashMap();
        hashMap.put(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY, ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put(SaslServerAuthenticator.SNI_BROKER_HOST_NAME_SASL_PROPERTY_KEY, "lkc-wrong-123.confluent.io");
        OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifyFailedAuthenticationDueToSniHostNameNotMatched(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterExtensionsFailedWhenSNIHostNameIsNotSuppliedStrictSniValidationMode() throws Exception {
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions(), SniValidationMode.STRICT);
        HashMap hashMap = new HashMap();
        hashMap.put(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY, ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put(SaslServerAuthenticator.SNI_BROKER_HOST_NAME_SASL_PROPERTY_KEY, null);
        OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifyFailedAuthenticationDueToSniHostNameNotMatched(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testPopulatesInvalidExtensionsWhenLogicalClusterIsNotHostedOnBroker() throws Exception {
        List singletonList = Collections.singletonList("cp12");
        OAuthBearerJwsToken oAuthBearerJwsToken = new OAuthBearerJwsToken("", new HashSet(singletonList), 0L, "", 0L);
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        HashMap hashMap = new HashMap();
        hashMap.put(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY, singletonList.get(0));
        OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(oAuthBearerJwsToken, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifyFailedAuthenticationDueToLogicalClusterNotMatched(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testConfigureRaisesExceptionWhenInvalidKeyPath() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(36000, "Confluent", DEFAULT_SUBJECT, ORG_RESOURCE_ID).build();
        Map<String, String> baseOptions = baseOptions();
        baseOptions.put(JwtAuthenticatorConfig.JWKS_LOCATION_CONFIG, this.jwsContainer.getPublicKeyFile().getAbsolutePath() + "/invalid!");
        Assertions.assertThrows(ConfigException.class, () -> {
            createCallbackHandler(baseOptions);
        });
    }

    @Test
    public void testConfigureDoesNotRaiseExceptionWithoutPublicKeyPath() {
        createCallbackHandler(new OAuthBearerServerLoginCallbackHandler(), new HashMap(), SniValidationMode.OPTIONAL_VALIDATION);
    }

    @Test
    public void testConfigureRaisesExceptionWhenInvalidPhysicalMetadataInstance() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(36000, "Confluent", DEFAULT_SUBJECT, ORG_RESOURCE_ID).build();
        this.configs.put(ConfluentConfigs.BROKER_SESSION_ID_PROP, "made-up");
        Assertions.assertThrows(ConfigException.class, () -> {
            createCallbackHandler(baseOptions());
        });
    }

    @Test
    public void testRaisesJwtExceptionWhenInvalidJws() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(36000, "Confluent", DEFAULT_SUBJECT, ORG_RESOURCE_ID).build();
        OAuthUtils.writePemFile(this.jwsContainer.getPublicKeyFile(), OAuthUtils.generateKeyPair().getPublic());
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken());
        });
    }

    @Test
    public void testRaisesJwtExceptionWhenExpiredJws() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(50, "Confluent", DEFAULT_SUBJECT, ORG_RESOURCE_ID).build();
        Thread.sleep(100L);
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken());
        });
    }

    @Test
    public void testRaisesJwtExceptionIfDifferentIssuer() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(36000, "AWS", DEFAULT_SUBJECT, ORG_RESOURCE_ID).build();
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken());
        });
    }

    @Test
    public void testRaisesJwtExceptionIfMissingSubject() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(36000, "Confluent", null, ORG_RESOURCE_ID).build();
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken());
        });
    }

    @Test
    public void testRaisesJwtExceptionIfNoExpirationTime() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(null, "Confluent", DEFAULT_SUBJECT, ORG_RESOURCE_ID).build();
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken());
        });
    }

    @Test
    public void testKeyResolverHttps() throws Exception {
        jwks.createJwkIfAbsent("");
        this.jwsContainer = new OAuthUtils.Builder(3600, "Confluent", DEFAULT_SUBJECT, ORG_RESOURCE_ID).build();
        HashMap hashMap = new HashMap();
        hashMap.put(JwtAuthenticatorConfig.KEY_RESOLVER_CONFIG, "https");
        hashMap.put(JwtAuthenticatorConfig.ALLOW_UNSAFE_KEY_RESOLVER_URL_CONFIG, "true");
        hashMap.put(JwtAuthenticatorConfig.JWKS_LOCATION_CONFIG, providerContext.jwksEndpoint().toString());
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(hashMap);
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken());
        });
    }

    @Test
    public void testKeyResolverHttpsNoJwksUri() throws Exception {
        jwks.createJwkIfAbsent("");
        this.jwsContainer = new OAuthUtils.Builder(3600, "Confluent", DEFAULT_SUBJECT, ORG_RESOURCE_ID).build();
        HashMap hashMap = new HashMap();
        hashMap.put(JwtAuthenticatorConfig.KEY_RESOLVER_CONFIG, "https");
        Assertions.assertThrows(ConfigException.class, () -> {
            createCallbackHandler(hashMap);
        });
    }

    @Test
    public void testKeyResolverJku() throws Exception {
        jwks.createJwkIfAbsent("");
        this.jwsContainer = new OAuthUtils.Builder(3600, "Confluent", DEFAULT_SUBJECT, ORG_RESOURCE_ID).build();
        HashMap hashMap = new HashMap();
        hashMap.put(JwtAuthenticatorConfig.KEY_RESOLVER_CONFIG, "jku");
        hashMap.put(JwtAuthenticatorConfig.JKU_KEY_RESOLVER_WHITELIST_CONFIG, "localhost");
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(hashMap);
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken());
        });
    }

    @Test
    public void testKeyResolverJkuNoWhiteList() throws Exception {
        jwks.createJwkIfAbsent("");
        this.jwsContainer = new OAuthUtils.Builder(3600, "Confluent", DEFAULT_SUBJECT, ORG_RESOURCE_ID).build();
        HashMap hashMap = new HashMap();
        hashMap.put(JwtAuthenticatorConfig.KEY_RESOLVER_CONFIG, "jku");
        Assertions.assertThrows(ConfigException.class, () -> {
            createCallbackHandler(hashMap);
        });
    }

    @Test
    public void testKeyResolverJkuEmptyWhiteList() throws Exception {
        jwks.createJwkIfAbsent("");
        this.jwsContainer = new OAuthUtils.Builder(3600, "Confluent", DEFAULT_SUBJECT, ORG_RESOURCE_ID).build();
        HashMap hashMap = new HashMap();
        hashMap.put(JwtAuthenticatorConfig.KEY_RESOLVER_CONFIG, "jku");
        hashMap.put(JwtAuthenticatorConfig.JKU_KEY_RESOLVER_WHITELIST_CONFIG, "");
        Assertions.assertThrows(ConfigException.class, () -> {
            createCallbackHandler(hashMap);
        });
    }

    @Test
    public void testInvalidIssuer() throws Exception {
        jwks.createJwkIfAbsent("");
        this.jwsContainer = new OAuthUtils.Builder(3600, "Confluent", DEFAULT_SUBJECT, ORG_RESOURCE_ID).build();
        HashMap hashMap = new HashMap();
        hashMap.put(JwtAuthenticatorConfig.ISSUER_CONFIG, providerContext.issuer().toString());
        hashMap.put(JwtAuthenticatorConfig.KEY_RESOLVER_CONFIG, JwtAuthenticatorConfig.JWKS_PEMFILE);
        hashMap.put(JwtAuthenticatorConfig.JWKS_LOCATION_CONFIG, this.jwsContainer.getPublicKeyFile().toString());
        OAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(hashMap);
        Assertions.assertThrows(JwtVerificationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken());
        });
    }

    private void verifySuccessfulAuthentication(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback) {
        Assertions.assertTrue(oAuthBearerExtensionsValidatorCallback.invalidExtensions().isEmpty());
        Assertions.assertTrue(oAuthBearerExtensionsValidatorCallback.errorMessage().isEmpty());
    }

    private void verifyFailedAuthenticationDueToLogicalClusterNotMatched(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback) {
        Assertions.assertFalse(oAuthBearerExtensionsValidatorCallback.invalidExtensions().isEmpty());
        Assertions.assertNotNull(oAuthBearerExtensionsValidatorCallback.invalidExtensions().get(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY));
        Assertions.assertFalse(oAuthBearerExtensionsValidatorCallback.errorMessage().isEmpty());
    }

    private void verifyFailedAuthenticationDueToSniHostNameNotMatched(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback) {
        Assertions.assertFalse(oAuthBearerExtensionsValidatorCallback.invalidExtensions().isEmpty());
        Assertions.assertNotNull(oAuthBearerExtensionsValidatorCallback.invalidExtensions().get(SaslServerAuthenticator.SNI_BROKER_HOST_NAME_SASL_PROPERTY_KEY));
        Assertions.assertFalse(oAuthBearerExtensionsValidatorCallback.errorMessage().isEmpty());
    }

    private void deleteLogicalClusterMetadata() throws IOException, InterruptedException {
        Utils.deleteLogicalClusterFile(Utils.LC_META_ABC, this.tempDir);
        TestUtils.waitForCondition(() -> {
            return this.metadata.metadata(Utils.LC_META_ABC.logicalClusterId()) == null;
        }, "Expected metadata of new logical cluster to be removed from metadata cache");
    }

    private OAuthBearerValidatorCallbackHandler createCallbackHandler(Map<String, String> map) {
        return createCallbackHandler(map, SniValidationMode.OPTIONAL_VALIDATION);
    }

    private OAuthBearerValidatorCallbackHandler createCallbackHandler(Map<String, String> map, SniValidationMode sniValidationMode) {
        return createCallbackHandler(new OAuthBearerValidatorCallbackHandler(), map, sniValidationMode);
    }

    private <T extends AuthenticateCallbackHandler> T createCallbackHandler(T t, Map<String, String> map, SniValidationMode sniValidationMode) {
        TestJaasConfig testJaasConfig = new TestJaasConfig();
        map.put("sni_host_name_validation_mode", sniValidationMode.getText());
        testJaasConfig.createOrUpdateEntry("Kafka", OAuthBearerLoginModule.class.getCanonicalName(), map);
        t.configure(this.configs, "OAUTHBEARER", Collections.singletonList(testJaasConfig.getAppConfigurationEntry("Kafka")[0]));
        return t;
    }

    private Map<String, String> baseOptions() throws Exception {
        if (this.jwsContainer == null) {
            this.jwsContainer = new OAuthUtils.Builder(36000, "Confluent", DEFAULT_SUBJECT, ORG_RESOURCE_ID).build();
        }
        HashMap hashMap = new HashMap();
        hashMap.put(JwtAuthenticatorConfig.KEY_RESOLVER_CONFIG, JwtAuthenticatorConfig.JWKS_PEMFILE);
        hashMap.put(JwtAuthenticatorConfig.JWKS_LOCATION_CONFIG, this.jwsContainer.getPublicKeyFile().getAbsolutePath());
        hashMap.put("audience", String.join(",", new CharSequence[0]));
        return hashMap;
    }
}
