package io.confluent.kafka.server.plugins.auth;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Optional;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.errors.SaslAuthenticationException;
import org.apache.kafka.common.network.CCloudTrafficType;
import org.apache.kafka.server.traffic.TrafficNetworkIdRoutes;
import org.apache.kafka.server.traffic.TrafficNetworkIdRoutesStore;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/TopicBasedPlainSaslAuthenticatorTest.class */
public class TopicBasedPlainSaslAuthenticatorTest {
    @Test
    public void testVerifyValidNetworkId() throws Exception {
        Assertions.assertTrue(createAuthenticator(Arrays.asList("ne1", "ne2"), TrafficNetworkIdValidationMode.STRICT).verifyNetworkId(getUserInfo(), "test", Optional.of("ne1")));
        Assertions.assertTrue(createAuthenticator(Arrays.asList("ne1", "ne2"), CCloudTrafficType.PL_PUBLIC_IP_NLB).verifyNetworkId(getUserInfo(), "test", Optional.of("ne1")));
        Assertions.assertTrue(createAuthenticator(new TrafficNetworkIdRoutes(Arrays.asList("ne1", "ne2")), TrafficNetworkIdValidationMode.NONE, CCloudTrafficType.PL_PUBLIC_IP_NLB).verifyNetworkId(getUserInfo(), "test", Optional.of("ne1")));
    }

    @Test
    public void testVerifyInvalidNetworkId() throws Exception {
        assertInvalidNetworkFailsAuth(createAuthenticator(Arrays.asList("ne1", "ne2"), TrafficNetworkIdValidationMode.STRICT));
        assertInvalidNetworkFailsAuth(createAuthenticator(Arrays.asList("ne1", "ne2"), CCloudTrafficType.PL_PUBLIC_IP_NLB));
        assertInvalidNetworkFailsAuth(createAuthenticator(new TrafficNetworkIdRoutes(Arrays.asList("ne1", "ne2")), TrafficNetworkIdValidationMode.NONE, CCloudTrafficType.PL_PUBLIC_IP_NLB));
    }

    private void assertInvalidNetworkFailsAuth(TopicBasedPlainSaslAuthenticator topicBasedPlainSaslAuthenticator) {
        Assertions.assertTrue(Assertions.assertThrows(SaslAuthenticationException.class, () -> {
            topicBasedPlainSaslAuthenticator.verifyNetworkId(getUserInfo(), "test", Optional.of("neInvalid"));
        }).errorInfo().errorMessage().contains("isn't allowed to communicate to the cluster ID"));
    }

    @Test
    public void testRoutesNotYetLoaded() throws Exception {
        TopicBasedPlainSaslAuthenticator createAuthenticator = createAuthenticator((TrafficNetworkIdRoutes) null, TrafficNetworkIdValidationMode.STRICT);
        Assertions.assertTrue(Assertions.assertThrows(SaslAuthenticationException.class, () -> {
            createAuthenticator.verifyNetworkId(getUserInfo(), "test", Optional.of("ne1"));
        }).errorInfo().errorMessage().contains("validation failed due to an internal error"));
    }

    @Test
    public void testRoutesNotYetLoadedNoneMode() throws Exception {
        Assertions.assertTrue(createAuthenticator((TrafficNetworkIdRoutes) null, TrafficNetworkIdValidationMode.NONE).verifyNetworkId(getUserInfo(), "test", Optional.of("ne1")));
    }

    @Test
    public void testVerifyNoneMode() throws Exception {
        Assertions.assertTrue(createAuthenticator(Arrays.asList("ne1", "ne2"), TrafficNetworkIdValidationMode.NONE).verifyNetworkId(getUserInfo(), "test", Optional.of("neInvalid")));
        Assertions.assertTrue(createAuthenticator(Arrays.asList("ne1", "ne2"), (TrafficNetworkIdValidationMode) null).verifyNetworkId(getUserInfo(), "test", Optional.of("neInvalid")));
        Assertions.assertTrue(createAuthenticator(Arrays.asList("ne1", "ne2"), CCloudTrafficType.UNKNOWN).verifyNetworkId(getUserInfo(), "test", Optional.of("neInvalid")));
        Assertions.assertTrue(createAuthenticator(Arrays.asList("ne1", "ne2"), CCloudTrafficType.PL_PRIVATE_LINK_NLB).verifyNetworkId(getUserInfo(), "test", Optional.of("neInvalid")));
    }

    @Test
    public void testVerifyListenerStrictModeOverridesTlvNoneMode() throws Exception {
        assertInvalidNetworkFailsAuth(createAuthenticator(new TrafficNetworkIdRoutes(Arrays.asList("ne1", "ne2")), TrafficNetworkIdValidationMode.STRICT, CCloudTrafficType.UNKNOWN));
    }

    private MultiTenantSaslConfigEntry getUserInfo() {
        return new MultiTenantSaslConfigEntry("PLAIN", "foobar", "none", FileBasedPlainSaslAuthenticatorTest.USER_ID_1, "lkc-bkey", false, "u-23");
    }

    private TopicBasedPlainSaslAuthenticator createAuthenticator(List<String> list, TrafficNetworkIdValidationMode trafficNetworkIdValidationMode) throws Exception {
        return createAuthenticator(new TrafficNetworkIdRoutes(list), trafficNetworkIdValidationMode, null);
    }

    private TopicBasedPlainSaslAuthenticator createAuthenticator(List<String> list, CCloudTrafficType cCloudTrafficType) throws Exception {
        return createAuthenticator(new TrafficNetworkIdRoutes(list), null, cCloudTrafficType);
    }

    private TopicBasedPlainSaslAuthenticator createAuthenticator(TrafficNetworkIdRoutes trafficNetworkIdRoutes, TrafficNetworkIdValidationMode trafficNetworkIdValidationMode) throws Exception {
        return createAuthenticator(trafficNetworkIdRoutes, trafficNetworkIdValidationMode, null);
    }

    private TopicBasedPlainSaslAuthenticator createAuthenticator(TrafficNetworkIdRoutes trafficNetworkIdRoutes, TrafficNetworkIdValidationMode trafficNetworkIdValidationMode, CCloudTrafficType cCloudTrafficType) throws Exception {
        TrafficNetworkIdRoutesStore trafficNetworkIdRoutesStore = (TrafficNetworkIdRoutesStore) Mockito.mock(TrafficNetworkIdRoutesStore.class);
        Mockito.when(trafficNetworkIdRoutesStore.load()).thenReturn(trafficNetworkIdRoutes);
        TopicBasedPlainSaslAuthenticator topicBasedPlainSaslAuthenticator = new TopicBasedPlainSaslAuthenticator((BaseMultiTenantSaslSecretsStore) null, trafficNetworkIdRoutesStore, cCloudTrafficType);
        HashMap hashMap = new HashMap();
        if (trafficNetworkIdValidationMode != null) {
            hashMap.put("traffic_network_id_validation_mode", trafficNetworkIdValidationMode.name());
        }
        topicBasedPlainSaslAuthenticator.initialize(Collections.singletonList(new AppConfigurationEntry(TopicBasedLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)));
        if (cCloudTrafficType != null && cCloudTrafficType.shouldValidateTraffic()) {
            Assertions.assertEquals(TrafficNetworkIdValidationMode.STRICT, topicBasedPlainSaslAuthenticator.networkIdValidationMode);
        } else if (trafficNetworkIdValidationMode != null) {
            Assertions.assertEquals(topicBasedPlainSaslAuthenticator.networkIdValidationMode, trafficNetworkIdValidationMode);
        } else {
            Assertions.assertEquals(topicBasedPlainSaslAuthenticator.networkIdValidationMode, TrafficNetworkIdValidationMode.NONE);
        }
        return topicBasedPlainSaslAuthenticator;
    }
}
