package io.confluent.kafka.security.oauthbearer;

import com.fasterxml.jackson.databind.ObjectMapper;
import io.confluent.kafka.security.PrivateKeyUtils;
import java.io.File;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.HashMap;
import java.util.Map;
import java.util.stream.Stream;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.utils.FileWatchService;
import org.apache.kafka.test.TestUtils;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwx.Headers;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;

/* loaded from: input_file:io/confluent/kafka/security/oauthbearer/PrivateKeyClientAssertionTest.class */
class PrivateKeyClientAssertionTest {
    private String pemFilepath;
    private PublicKey publicKey;
    private String clientAssertionConfigFilePath;

    PrivateKeyClientAssertionTest() {
    }

    static Stream<Arguments> headerTestCaseProvider() {
        return Stream.of((Object[]) new Arguments[]{Arguments.of(new Object[]{createMap("kid", "test", "x5t", "test", "x5t#S256", "test"), new HashMap()}), Arguments.of(new Object[]{createMap("kid", "test", "x5t", "test"), createMap("x5t#S256", "test")}), Arguments.of(new Object[]{createMap("kid", "test", "x5t", "test"), createMap("gibberishHeader", "test")})});
    }

    static Stream<Arguments> payloadTestCaseProvider() {
        return Stream.of((Object[]) new Arguments[]{Arguments.of(new Object[]{createMap("additonal_aud", "test", "customClaim", 10L, "tenant", "test"), new HashMap()}), Arguments.of(new Object[]{createMap("additonal_aud", "test", "customClaim", 10L), createMap("tenant", "test")}), Arguments.of(new Object[]{createMap("kid", "test", "x5t", "test"), createMap("gibberishHeader", "test")})});
    }

    private static Map<String, Object> createMap(Object... objArr) {
        HashMap hashMap = new HashMap();
        for (int i = 0; i < objArr.length; i += 2) {
            hashMap.put((String) objArr[i], objArr[i + 1]);
        }
        return hashMap;
    }

    private static void validateHeaders(String str, Map<String, Object> map) throws InvalidJwtException {
        Headers headers = ((JsonWebSignature) new JwtConsumerBuilder().setSkipSignatureVerification().setExpectedAudience(new String[]{"http://keycloak:8080/realms/cp/protocol/openid-connect/token"}).build().process(str).getJoseObjects().get(0)).getHeaders();
        map.forEach((str2, obj) -> {
            Assertions.assertEquals(obj, headers.getStringHeaderValue(str2));
        });
    }

    @BeforeEach
    void setUp() throws Exception {
        FileWatchService.useHighSensitivity();
        KeyPair rsaKeyPair = PrivateKeyUtils.getRsaKeyPair();
        this.publicKey = rsaKeyPair.getPublic();
        this.pemFilepath = getFilePath(PrivateKeyUtils.getPkcs1PemKey(rsaKeyPair));
    }

    @AfterEach
    void tearDown() {
    }

    private static String getFilePath(String str) throws Exception {
        return TestUtils.tempFile(str).getAbsolutePath();
    }

    private void updateFile(String str, String str2) throws Exception {
        TestUtils.writeToFile(new File(str), str2);
    }

    @Test
    void testInitialization() {
        Assertions.assertNotNull(new PrivateKeyClientAssertion("client_app1", "http://keycloak:8080/realms/cp/protocol/openid-connect/token", "client_app1", 10, true, true, this.pemFilepath, (String) null, (String) null));
    }

    @Test
    void testInitializationThrowsFileException() {
        Assertions.assertTrue(((Exception) Assertions.assertThrows(KafkaException.class, () -> {
            new PrivateKeyClientAssertion("client_app1", "http://keycloak:8080/realms/cp/protocol/openid-connect/token", "client_app1", 10, true, true, "invalid file path", (String) null, (String) null);
        })).getMessage().contains("invalid file path"));
    }

    @Test
    public void testReloadsPrivateKey() throws Exception {
        PrivateKeyClientAssertion privateKeyClientAssertion = new PrivateKeyClientAssertion("client_app1", "http://keycloak:8080/realms/cp/protocol/openid-connect/token", "client_app1", 10, true, true, this.pemFilepath, (String) null, (String) null);
        PrivateKey privateKey = privateKeyClientAssertion.getPrivateKey();
        updateFile(this.pemFilepath, PrivateKeyUtils.getPkcs1PemKey(PrivateKeyUtils.getRsaKeyPair()));
        TestUtils.waitForCondition(() -> {
            return !privateKey.equals(privateKeyClientAssertion.getPrivateKey());
        }, "Private key not reloaded");
    }

    @Test
    public void testReloadsPrivateKeyAndHeaders() throws Exception {
        Map<String, Object> createMap = createMap("kid", "test", "x5t", "test");
        Map<String, Object> createMap2 = createMap("kid", "updated-test", "x5t", "updated-test");
        createClientAssertionConfigFile(createMap("headers", createMap));
        PrivateKeyClientAssertion privateKeyClientAssertion = new PrivateKeyClientAssertion("client_app1", "http://keycloak:8080/realms/cp/protocol/openid-connect/token", "client_app1", 10, true, true, this.pemFilepath, (String) null, this.clientAssertionConfigFilePath);
        PrivateKey privateKey = privateKeyClientAssertion.getPrivateKey();
        validateHeaders(privateKeyClientAssertion.getJwt(), createMap);
        String pkcs1PemKey = PrivateKeyUtils.getPkcs1PemKey(PrivateKeyUtils.getRsaKeyPair());
        updateClientAssertionConfigFile(createMap("headers", createMap2));
        updateFile(this.pemFilepath, pkcs1PemKey);
        TestUtils.waitForCondition(() -> {
            return !privateKey.equals(privateKeyClientAssertion.getPrivateKey());
        }, "Private key not reloaded");
        validateHeaders(privateKeyClientAssertion.getJwt(), createMap2);
    }

    @Test
    public void testGetJwt() throws Exception {
        Assertions.assertNotNull(new JwtConsumerBuilder().setVerificationKey(this.publicKey).setExpectedAudience(new String[]{"http://keycloak:8080/realms/cp/protocol/openid-connect/token"}).build().processToClaims(new PrivateKeyClientAssertion("client_app1", "http://keycloak:8080/realms/cp/protocol/openid-connect/token", "client_app1", 10, true, true, this.pemFilepath, (String) null, (String) null).getJwt()));
    }

    @MethodSource({"headerTestCaseProvider"})
    @ParameterizedTest
    public void testGetJwtWithAdditionalHeaders(Map<String, String> map, Map<String, String> map2) throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("headers", map);
        hashMap.putAll(map2);
        createClientAssertionConfigFile(hashMap);
        String jwt = new PrivateKeyClientAssertion("client_app1", "http://keycloak:8080/realms/cp/protocol/openid-connect/token", "client_app1", 10, true, true, this.pemFilepath, (String) null, this.clientAssertionConfigFilePath).getJwt();
        JwtConsumer build = new JwtConsumerBuilder().setVerificationKey(this.publicKey).setExpectedAudience(new String[]{"http://keycloak:8080/realms/cp/protocol/openid-connect/token"}).build();
        Assertions.assertNotNull(build.processToClaims(jwt));
        Headers headers = ((JsonWebSignature) build.process(jwt).getJoseObjects().get(0)).getHeaders();
        map.forEach((str, str2) -> {
            Assertions.assertEquals(str2, headers.getStringHeaderValue(str));
        });
        map2.forEach((str3, str4) -> {
            Assertions.assertNull(headers.getStringHeaderValue(str3));
        });
    }

    @MethodSource({"payloadTestCaseProvider"})
    @ParameterizedTest
    public void testGetJwtWithAdditionalPayloadClaims(Map<String, Object> map, Map<String, Object> map2) throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("payload", map);
        hashMap.putAll(map2);
        createClientAssertionConfigFile(hashMap);
        JwtClaims processToClaims = new JwtConsumerBuilder().setVerificationKey(this.publicKey).setExpectedAudience(new String[]{"http://keycloak:8080/realms/cp/protocol/openid-connect/token"}).build().processToClaims(new PrivateKeyClientAssertion("client_app1", "http://keycloak:8080/realms/cp/protocol/openid-connect/token", "client_app1", 10, true, true, this.pemFilepath, (String) null, this.clientAssertionConfigFilePath).getJwt());
        Assertions.assertNotNull(processToClaims);
        map.forEach((str, obj) -> {
            Assertions.assertEquals(obj, processToClaims.getClaimValue(str));
        });
        map2.forEach((str2, obj2) -> {
            Assertions.assertNull(processToClaims.getClaimValue(str2));
        });
    }

    private void createClientAssertionConfigFile(Map<String, Object> map) {
        try {
            this.clientAssertionConfigFilePath = getFilePath(new ObjectMapper().writerWithDefaultPrettyPrinter().writeValueAsString(map));
        } catch (Exception e) {
            throw new RuntimeException("Error writing JSON to file", e);
        }
    }

    private void updateClientAssertionConfigFile(Map<String, Object> map) {
        try {
            updateFile(this.clientAssertionConfigFilePath, new ObjectMapper().writerWithDefaultPrettyPrinter().writeValueAsString(map));
        } catch (Exception e) {
            throw new RuntimeException("Error writing JSON to file", e);
        }
    }
}
