package io.confluent.kafka.server.plugins.auth.token;

import io.confluent.kafka.clients.plugins.auth.jwt.JwtVerificationException;
import io.confluent.kafka.test.utils.TokenTestUtils;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.callback.Callback;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.authenticator.TestJaasConfig;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/token/TokenBearerValidatorCallbackHandlerTest.class */
public class TokenBearerValidatorCallbackHandlerTest {
    private TokenTestUtils.JwsContainer jwsContainer;
    private Map<String, Object> configs;
    private String defaultIssuer = "Confluent";
    private String defaultSubject = "Customer";

    @Rule
    public final TemporaryFolder tempFolder = new TemporaryFolder();

    @Before
    public void setUp() throws Exception {
        this.configs = new HashMap();
        this.configs.put("multitenant.metadata.dir", this.tempFolder.getRoot().getCanonicalPath());
    }

    @After
    public void tearDown() {
    }

    @Test
    public void testAttachesJws() throws Exception {
        this.jwsContainer = TokenTestUtils.setUpJws(36000, this.defaultIssuer, this.defaultSubject);
        TokenBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler(baseOptions());
        Callback oAuthBearerValidatorCallback = new OAuthBearerValidatorCallback(this.jwsContainer.getJwsToken());
        createCallbackHandler.handle(new Callback[]{oAuthBearerValidatorCallback});
        Assert.assertNotNull(oAuthBearerValidatorCallback.token());
        Assert.assertEquals(this.jwsContainer.getJwsToken(), oAuthBearerValidatorCallback.token().value());
        Assert.assertNull(oAuthBearerValidatorCallback.errorStatus());
    }

    @Test(expected = ConfigException.class)
    public void testConfigureRaisesExceptionWhenInvalidKeyPath() throws Exception {
        this.jwsContainer = TokenTestUtils.setUpJws(36000, this.defaultIssuer, this.defaultSubject);
        Map<String, String> baseOptions = baseOptions();
        baseOptions.put("publicKeyPath", this.jwsContainer.getPublicKeyFile().getAbsolutePath() + "/invalid!");
        createCallbackHandler(baseOptions);
    }

    @Test(expected = JwtVerificationException.class)
    public void testRaisesJwtExceptionWhenInvalidJws() throws Exception {
        this.jwsContainer = TokenTestUtils.setUpJws(36000, this.defaultIssuer, this.defaultSubject);
        TokenTestUtils.writePemFile(this.jwsContainer.getPublicKeyFile(), TokenTestUtils.generateKeyPair().getPublic());
        createCallbackHandler(baseOptions()).processToken(this.jwsContainer.getJwsToken());
    }

    @Test(expected = JwtVerificationException.class)
    public void testRaisesJwtExceptionWhenExpiredJws() throws Exception {
        this.jwsContainer = TokenTestUtils.setUpJws(50, this.defaultIssuer, this.defaultSubject);
        Thread.sleep(100L);
        createCallbackHandler(baseOptions()).processToken(this.jwsContainer.getJwsToken());
    }

    @Test(expected = JwtVerificationException.class)
    public void testRaisesJwtExceptionIfDifferentIssuer() throws Exception {
        this.jwsContainer = TokenTestUtils.setUpJws(36000, "AWS", this.defaultSubject);
        createCallbackHandler(baseOptions()).processToken(this.jwsContainer.getJwsToken());
    }

    @Test(expected = JwtVerificationException.class)
    public void testRaisesJwtExceptionIfMissingSubject() throws Exception {
        this.jwsContainer = TokenTestUtils.setUpJws(36000, this.defaultIssuer, null);
        createCallbackHandler(baseOptions()).processToken(this.jwsContainer.getJwsToken());
    }

    @Test(expected = JwtVerificationException.class)
    public void testRaisesJwtExceptionIfNoExpirationTime() throws Exception {
        this.jwsContainer = TokenTestUtils.setUpJws(null, this.defaultIssuer, this.defaultSubject);
        createCallbackHandler(baseOptions()).processToken(this.jwsContainer.getJwsToken());
    }

    private TokenBearerValidatorCallbackHandler createCallbackHandler(Map<String, String> map) {
        TestJaasConfig testJaasConfig = new TestJaasConfig();
        testJaasConfig.createOrUpdateEntry("Kafka", "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule", map);
        TokenBearerValidatorCallbackHandler tokenBearerValidatorCallbackHandler = new TokenBearerValidatorCallbackHandler();
        tokenBearerValidatorCallbackHandler.configure(this.configs, "OAUTHBEARER", Collections.singletonList(testJaasConfig.getAppConfigurationEntry("Kafka")[0]));
        return tokenBearerValidatorCallbackHandler;
    }

    private Map<String, String> baseOptions() throws Exception {
        if (this.jwsContainer == null) {
            this.jwsContainer = TokenTestUtils.setUpJws(36000, this.defaultIssuer, this.defaultSubject);
        }
        HashMap hashMap = new HashMap();
        hashMap.put("publicKeyPath", this.jwsContainer.getPublicKeyFile().getAbsolutePath());
        hashMap.put("audience", String.join(",", new CharSequence[0]));
        return hashMap;
    }
}
