package io.confluent.security.auth.provider.oauth;

import io.confluent.kafka.common.multitenant.oauth.OAuthBearerJwsToken;
import io.confluent.kafka.multitenant.TopicBasedPhysicalClusterMetadata;
import io.confluent.kafka.multitenant.Utils;
import io.confluent.kafka.server.plugins.auth.SniValidationMode;
import io.confluent.kafka.server.plugins.auth.oauth.JwtAuthenticatorConfig;
import io.confluent.kafka.server.plugins.auth.oauth.MockBasicAuthStore;
import io.confluent.kafka.server.plugins.auth.oauth.MockTrustCache;
import io.confluent.kafka.server.plugins.auth.oauth.OAuthUtils;
import io.confluent.kafka.test.utils.KafkaTestUtils;
import io.confluent.kafka.util.ClientContext;
import io.confluent.security.auth.oauth.mockserver.common.TokenInfo;
import io.confluent.security.authentication.AuthenticationException;
import io.confluent.security.authentication.credential.BearerCredential;
import io.confluent.security.authentication.oauthbearer.MockJwtSource;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.config.ConfigurationException;
import io.confluent.security.test.utils.JwtTestUtils;
import java.io.File;
import java.io.IOException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import javax.security.auth.callback.Callback;
import kafka.server.KafkaConfig;
import kafka.test.JarResourceLoader;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.SaslExtensions;
import org.apache.kafka.common.security.authenticator.TestJaasConfig;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerExtensionsValidatorCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
import org.apache.kafka.test.TestUtils;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

/* loaded from: input_file:io/confluent/security/auth/provider/oauth/EnhancedOAuthBearerValidatorCallbackHandlerTest.class */
public class EnhancedOAuthBearerValidatorCallbackHandlerTest {
    private final Scope orgA = new Scope.Builder(new String[]{"org=OrgA"}).build();
    private final String jwtIssuerA = "https://test-issuer-a.com";
    private final String jwksEndpointA = "https://test-issuer-a.com/json.jwks";
    private final String httpsIssuer = "https://vault.cireops.gcp.internal.confluent.cloud/v1/identity/oidc";
    private JsonWebKeySet jwks = new JsonWebKeySet(new JsonWebKey[0]);
    private static final String DEFAULT_SUBJECT = "Customer";
    private MockBasicAuthStore authStore;
    private MockTrustCache authCache;
    private Map<String, Object> configs;
    private String brokerUUID;
    private OAuthUtils.JwsContainer jwsContainer;
    private TopicBasedPhysicalClusterMetadata metadata;
    private static final List<String> ALLOWED_LOGICAL_CLUSTERS = Collections.singletonList(Utils.LC_META_ABC.logicalClusterId());
    private static final String ORG_RESOURCE_ID = Utils.LC_META_ABC.organizationId();
    private static final String DEFAULT_ISSUER = "Confluent";
    private static final OAuthBearerJwsToken TOKEN_MOCK = new OAuthBearerJwsToken("", new HashSet(ALLOWED_LOGICAL_CLUSTERS), 0, "", 0L, Collections.singletonMap("orgResourceId", ORG_RESOURCE_ID), DEFAULT_ISSUER);
    private static final OAuthBearerJwsToken INVALID_ORG_TOKEN_MOCK = new OAuthBearerJwsToken("", new HashSet(ALLOWED_LOGICAL_CLUSTERS), 0, "", 0L, Collections.singletonMap("orgResourceId", "org_1"), DEFAULT_ISSUER);
    private static final OAuthBearerJwsToken NON_CONFLUENT_TOKEN_MOCK = new OAuthBearerJwsToken("", new HashSet(ALLOWED_LOGICAL_CLUSTERS), 0, "", 0L, Collections.singletonMap("orgResourceId", ORG_RESOURCE_ID), "SomeoneElse");
    private static final String SPIRE_SUBJECT_1 = "spiffe://" + MockJwtSource.SPIRE_TRUST_DOMAIN_1 + "/test-workload";

    private static JwtClaims mockJwtClaims(String str) {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer(str);
        jwtClaims.setIssuedAt(NumericDate.fromMilliseconds(0L));
        jwtClaims.setExpirationTime(NumericDate.fromMilliseconds(0L));
        return jwtClaims;
    }

    private static JwtClaims mockAuthServiceJwtClaims(List<String> list) {
        JwtClaims mockJwtClaims = mockJwtClaims(DEFAULT_ISSUER);
        mockJwtClaims.setClaim("clusters", list);
        return mockJwtClaims;
    }

    @BeforeEach
    public void setUp() throws Exception {
        KafkaTestUtils.verifyThreadCleanup();
        createAuthStore();
        this.brokerUUID = "uuid";
        this.configs = new HashMap();
        this.configs.put(KafkaConfig.BrokerSessionUuidProp(), this.brokerUUID);
        initiateTopicBasedPhysicalClusterMetadata(this.configs);
    }

    private void initiateTopicBasedPhysicalClusterMetadata(Map<String, Object> map) {
        this.metadata = (TopicBasedPhysicalClusterMetadata) Mockito.mock(TopicBasedPhysicalClusterMetadata.class);
        ((TopicBasedPhysicalClusterMetadata) Mockito.doCallRealMethod().when(this.metadata)).configure((Map) ArgumentMatchers.any(Map.class));
        ((TopicBasedPhysicalClusterMetadata) Mockito.doCallRealMethod().when(this.metadata)).getSessionUuid((Map) ArgumentMatchers.any(Map.class));
        ((TopicBasedPhysicalClusterMetadata) Mockito.doCallRealMethod().when(this.metadata)).close((String) ArgumentMatchers.any(String.class));
        try {
            this.metadata.configure(map);
        } catch (Exception e) {
        }
        Mockito.when(this.metadata.metadata(Utils.LC_META_ABC.logicalClusterId())).thenReturn(Utils.LC_META_ABC);
    }

    @AfterEach
    public void tearDown() {
        this.metadata.close(this.brokerUUID);
        if (this.authStore != null) {
            this.authStore.close();
        }
        KafkaTestUtils.verifyThreadCleanup();
    }

    @Test
    public void testAttachJwsWithPropertyConfig() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(36000, "https://test-issuer-a.com", DEFAULT_SUBJECT, ORG_RESOURCE_ID).withKid(true).build();
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("");
        Callback oAuthBearerValidatorCallback = new OAuthBearerValidatorCallback(this.jwsContainer.getJwsToken());
        RsaJsonWebKey rsaJsonWebKey = new RsaJsonWebKey((RSAPublicKey) this.jwsContainer.verificationKey());
        rsaJsonWebKey.setKeyId(this.jwsContainer.getKid());
        this.jwks.addJsonWebKey(rsaJsonWebKey);
        JwtTestUtils.updateJwks(this.authCache, "https://test-issuer-a.com", "", this.jwks);
        createCallbackHandler.handle(new Callback[]{oAuthBearerValidatorCallback});
        Assertions.assertNotNull(oAuthBearerValidatorCallback.token());
        Assertions.assertEquals(this.jwsContainer.getJwsToken(), oAuthBearerValidatorCallback.token().value());
        Assertions.assertNull(oAuthBearerValidatorCallback.errorStatus());
    }

    @Test
    public void testAttachJwsWithJwksEndpointWithPropertyConfig() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(36000, "https://test-issuer-a.com", DEFAULT_SUBJECT, ORG_RESOURCE_ID).withKid(true).build();
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("");
        Callback oAuthBearerValidatorCallback = new OAuthBearerValidatorCallback(this.jwsContainer.getJwsToken());
        oAuthBearerValidatorCallback.context().add("jwksEndpoint", "https://test-issuer-a.com/json.jwks");
        RsaJsonWebKey rsaJsonWebKey = new RsaJsonWebKey((RSAPublicKey) this.jwsContainer.verificationKey());
        rsaJsonWebKey.setKeyId(this.jwsContainer.getKid());
        this.jwks.addJsonWebKey(rsaJsonWebKey);
        JwtTestUtils.updateJwks(this.authCache, "https://test-issuer-a.com", "https://test-issuer-a.com/json.jwks", this.jwks);
        createCallbackHandler.handle(new Callback[]{oAuthBearerValidatorCallback});
        Assertions.assertNotNull(oAuthBearerValidatorCallback.token());
        Assertions.assertEquals(this.jwsContainer.getJwsToken(), oAuthBearerValidatorCallback.token().value());
        Assertions.assertNull(oAuthBearerValidatorCallback.errorStatus());
    }

    @Test
    public void testAttachJws() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(36000, "https://test-issuer-a.com", DEFAULT_SUBJECT, ORG_RESOURCE_ID).withKid(true).build();
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        Callback oAuthBearerValidatorCallback = new OAuthBearerValidatorCallback(this.jwsContainer.getJwsToken());
        RsaJsonWebKey rsaJsonWebKey = new RsaJsonWebKey((RSAPublicKey) this.jwsContainer.verificationKey());
        rsaJsonWebKey.setKeyId(this.jwsContainer.getKid());
        this.jwks.addJsonWebKey(rsaJsonWebKey);
        JwtTestUtils.updateJwks(this.authCache, "https://test-issuer-a.com", "", this.jwks);
        createCallbackHandler.handle(new Callback[]{oAuthBearerValidatorCallback});
        Assertions.assertNotNull(oAuthBearerValidatorCallback.token());
        Assertions.assertEquals(this.jwsContainer.getJwsToken(), oAuthBearerValidatorCallback.token().value());
        Assertions.assertNull(oAuthBearerValidatorCallback.errorStatus());
    }

    @Test
    public void testPopulatesInvalidExtensionsWhenNoLogicalClusterMetadata() throws Exception {
        deleteLogicalClusterMetadata();
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        HashMap hashMap = new HashMap();
        hashMap.put("logicalCluster", Utils.LC_META_ABC.logicalClusterId());
        Callback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifyFailedAuthenticationDueToLogicalClusterNotMatched(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterExtensionsValidatedWhenTheyMatchTokensLogicalClusterAndIsHostedOnBroker() throws Exception {
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        HashMap hashMap = new HashMap();
        hashMap.put("logicalCluster", ALLOWED_LOGICAL_CLUSTERS.get(0));
        Callback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifySuccessfulAuthentication(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterExtensionsValidatedWhenTheyStartWithPkcLegacySniValidationMode() throws Exception {
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml", SniValidationMode.ALLOW_LEGACY_BOOTSTRAP);
        HashMap hashMap = new HashMap();
        hashMap.put("logicalCluster", ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put("__confluent_sni_broker_host_name", "pkc-wrong-123.confluent.io");
        Callback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifySuccessfulAuthentication(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterExtensionsValidatedWhenTheyMatchTokensLogicalClusterLegacySniValidationMode() throws Exception {
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml", SniValidationMode.ALLOW_LEGACY_BOOTSTRAP);
        HashMap hashMap = new HashMap();
        hashMap.put("logicalCluster", ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put("__confluent_sni_broker_host_name", Utils.LC_META_ABC.logicalClusterId() + "-123.confluent.io");
        Callback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifySuccessfulAuthentication(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterNoBelongToOrg() throws Exception {
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml", SniValidationMode.ALLOW_LEGACY_BOOTSTRAP);
        HashMap hashMap = new HashMap();
        hashMap.put("logicalCluster", ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put("__confluent_sni_broker_host_name", Utils.LC_META_ABC.logicalClusterId() + "-123.confluent.io");
        Callback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(INVALID_ORG_TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifyFailedAuthenticationDueToLogicalClusterNotMatched(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterExtensionsFailedWhenNotProvidedLegacySniValidationMode() throws Exception {
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml", SniValidationMode.ALLOW_LEGACY_BOOTSTRAP);
        HashMap hashMap = new HashMap();
        hashMap.put("logicalCluster", ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put("__confluent_sni_broker_host_name", null);
        Callback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifyFailedAuthenticationDueToSniHostNameNotMatched(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterExtensionsFailedWhenTheyNotMatchTokensLogicalClusterLegacySniValidationModeConfluentIssuer() throws Exception {
        testLogicalClusterExtensionsFailedWhenTheyNotMatchTokensLogicalClusterLegacySniValidationMode(TOKEN_MOCK);
    }

    @Test
    public void testLogicalClusterExtensionsFailedWhenTheyNotMatchTokensLogicalClusterLegacySniValidationModeNonConfluentIssuer() throws Exception {
        testLogicalClusterExtensionsFailedWhenTheyNotMatchTokensLogicalClusterLegacySniValidationMode(NON_CONFLUENT_TOKEN_MOCK);
    }

    private void testLogicalClusterExtensionsFailedWhenTheyNotMatchTokensLogicalClusterLegacySniValidationMode(OAuthBearerJwsToken oAuthBearerJwsToken) throws Exception {
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml", SniValidationMode.ALLOW_LEGACY_BOOTSTRAP);
        HashMap hashMap = new HashMap();
        hashMap.put("logicalCluster", ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put("__confluent_sni_broker_host_name", "lkc-wrong-123.confluent.io");
        Callback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(oAuthBearerJwsToken, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifyFailedAuthenticationDueToSniHostNameNotMatched(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterExtensionsValidatedWhenTheyMatchTokensLogicalClusterStrictSniValidationMode() throws Exception {
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml", SniValidationMode.STRICT);
        HashMap hashMap = new HashMap();
        hashMap.put("logicalCluster", ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put("__confluent_sni_broker_host_name", Utils.LC_META_ABC.logicalClusterId() + "-123.confluent.io");
        Callback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifySuccessfulAuthentication(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterExtensionsValidatedWhenMissingSubjectWithNoConfluentIssuer() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(36000, "https://test-issuer-a.com", null, ORG_RESOURCE_ID).withKid(true).build();
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        RsaJsonWebKey rsaJsonWebKey = new RsaJsonWebKey((RSAPublicKey) this.jwsContainer.verificationKey());
        rsaJsonWebKey.setKeyId(this.jwsContainer.getKid());
        this.jwks.addJsonWebKey(rsaJsonWebKey);
        JwtTestUtils.updateJwks(this.authCache, "https://test-issuer-a.com", "https://test-issuer-a.com/json.jwks", this.jwks);
        HashMap hashMap = new HashMap();
        hashMap.put("logicalCluster", ALLOWED_LOGICAL_CLUSTERS.get(0));
        Callback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(TOKEN_MOCK, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifySuccessfulAuthentication(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testLogicalClusterExtensionsFailedWhenSNIHostNameNotMatchingStrictSniValidationModeConfluentIssuer() throws Exception {
        testLogicalClusterExtensionsFailedWhenSNIHostNameNotMatchingStrictSniValidationMode(TOKEN_MOCK);
    }

    @Test
    public void testLogicalClusterExtensionsFailedWhenSNIHostNameNotMatchingStrictSniValidationModeNonConfluentIssuer() throws Exception {
        testLogicalClusterExtensionsFailedWhenSNIHostNameNotMatchingStrictSniValidationMode(NON_CONFLUENT_TOKEN_MOCK);
    }

    private void testLogicalClusterExtensionsFailedWhenSNIHostNameNotMatchingStrictSniValidationMode(OAuthBearerJwsToken oAuthBearerJwsToken) throws Exception {
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml", SniValidationMode.STRICT);
        HashMap hashMap = new HashMap();
        hashMap.put("logicalCluster", ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put("__confluent_sni_broker_host_name", "lkc-wrong-123.confluent.io");
        Callback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(oAuthBearerJwsToken, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifyFailedAuthenticationDueToSniHostNameNotMatched(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testRaisesJwtExceptionIfMissingSubjectForConfluentIssuer() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(36000, DEFAULT_ISSUER, null, ORG_RESOURCE_ID).withKid(true).build();
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        RsaJsonWebKey rsaJsonWebKey = new RsaJsonWebKey((RSAPublicKey) this.jwsContainer.verificationKey());
        rsaJsonWebKey.setKeyId(this.jwsContainer.getKid());
        this.jwks.addJsonWebKey(rsaJsonWebKey);
        JwtTestUtils.updateJwks(this.authCache, "https://test-issuer-a.com", "https://test-issuer-a.com/json.jwks", this.jwks);
        Assertions.assertTrue(((Exception) Assertions.assertThrows(AuthenticationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken(), new ClientContext());
        })).getMessage().contains("InvalidJwtException"));
    }

    @Test
    public void testLogicalClusterExtensionsFailedWhenSNIHostNameIsNotSuppliedStrictSniValidationModeConfluentIssuer() throws Exception {
        testLogicalClusterExtensionsFailedWhenSNIHostNameIsNotSuppliedStrictSniValidationMode(TOKEN_MOCK);
    }

    @Test
    public void testLogicalClusterExtensionsFailedWhenSNIHostNameIsNotSuppliedStrictSniValidationModeNonConfluentIssuer() throws Exception {
        testLogicalClusterExtensionsFailedWhenSNIHostNameIsNotSuppliedStrictSniValidationMode(NON_CONFLUENT_TOKEN_MOCK);
    }

    private void testLogicalClusterExtensionsFailedWhenSNIHostNameIsNotSuppliedStrictSniValidationMode(OAuthBearerJwsToken oAuthBearerJwsToken) throws Exception {
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml", SniValidationMode.STRICT);
        HashMap hashMap = new HashMap();
        hashMap.put("logicalCluster", ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put("__confluent_sni_broker_host_name", null);
        Callback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(oAuthBearerJwsToken, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifyFailedAuthenticationDueToSniHostNameNotMatched(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testPopulatesInvalidExtensionsWhenLogicalClusterIsNotHostedOnBroker() throws Exception {
        List singletonList = Collections.singletonList("cp12");
        OAuthBearerJwsToken oAuthBearerJwsToken = new OAuthBearerJwsToken("", new HashSet(singletonList), 0L, "", 0L);
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        HashMap hashMap = new HashMap();
        hashMap.put("logicalCluster", singletonList.get(0));
        Callback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(oAuthBearerJwsToken, new SaslExtensions(hashMap));
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifyFailedAuthenticationDueToLogicalClusterNotMatched(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testConfigureRaisesExceptionWhenInvalidPhysicalMetadataInstance() throws Exception {
        this.configs.put("broker.session.uuid", "made-up");
        Assertions.assertThrows(ConfigurationException.class, () -> {
            createCallbackHandler("AuthConfig.yaml");
        });
    }

    @Test
    public void testRaisesJwtExceptionWhenInvalidJws() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(36000, "https://test-issuer-a.com", DEFAULT_SUBJECT, ORG_RESOURCE_ID).withKid(true).build();
        RsaJsonWebKey rsaJsonWebKey = new RsaJsonWebKey((RSAPublicKey) this.jwsContainer.verificationKey());
        rsaJsonWebKey.setKeyId(this.jwsContainer.getKid());
        this.jwks.addJsonWebKey(rsaJsonWebKey);
        JwtTestUtils.updateJwks(this.authCache, "https://test-issuer-a.com", "https://test-issuer-a.com/json.jwks", this.jwks);
        this.jwsContainer = new OAuthUtils.Builder(36000, "https://test-issuer-a.com", DEFAULT_SUBJECT, ORG_RESOURCE_ID).withKid(true).build();
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        Assertions.assertTrue(((Exception) Assertions.assertThrows(AuthenticationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken(), new ClientContext());
        })).getMessage().contains("UnresolvableKeyException"));
    }

    @Test
    public void testRaisesJwtExceptionWhenExpiredJws() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(50, "https://test-issuer-a.com", DEFAULT_SUBJECT, ORG_RESOURCE_ID).withKid(true).build();
        Thread.sleep(100L);
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        RsaJsonWebKey rsaJsonWebKey = new RsaJsonWebKey((RSAPublicKey) this.jwsContainer.verificationKey());
        rsaJsonWebKey.setKeyId(this.jwsContainer.getKid());
        this.jwks.addJsonWebKey(rsaJsonWebKey);
        JwtTestUtils.updateJwks(this.authCache, "https://test-issuer-a.com", "https://test-issuer-a.com/json.jwks", this.jwks);
        Assertions.assertTrue(((Exception) Assertions.assertThrows(AuthenticationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken(), new ClientContext());
        })).getMessage().contains("InvalidJwtException"));
    }

    @Test
    public void testRaisesJwtExceptionIfNoExpirationTime() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(null, "https://test-issuer-a.com", DEFAULT_SUBJECT, ORG_RESOURCE_ID).withKid(true).build();
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        RsaJsonWebKey rsaJsonWebKey = new RsaJsonWebKey((RSAPublicKey) this.jwsContainer.verificationKey());
        rsaJsonWebKey.setKeyId(this.jwsContainer.getKid());
        this.jwks.addJsonWebKey(rsaJsonWebKey);
        JwtTestUtils.updateJwks(this.authCache, "https://test-issuer-a.com", "https://test-issuer-a.com/json.jwks", this.jwks);
        Assertions.assertTrue(((Exception) Assertions.assertThrows(AuthenticationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken(), new ClientContext());
        })).getMessage().contains("InvalidJwtException"));
    }

    @Test
    public void testKeyResolverHttps() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(3600, "https://vault.cireops.gcp.internal.confluent.cloud/v1/identity/oidc", DEFAULT_SUBJECT, ORG_RESOURCE_ID).withKid(true).build();
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        Assertions.assertTrue(((Exception) Assertions.assertThrows(AuthenticationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken(), new ClientContext());
        })).getMessage().contains("UnresolvableKeyException"));
    }

    @Test
    public void testKeyResolverHttpsNoJwksUri() throws Exception {
        Assertions.assertTrue(((Exception) Assertions.assertThrows(ConfigurationException.class, () -> {
            createCallbackHandler("AuthConfig1.yaml");
        })).getCause().getMessage().contains("jwksUri must not be null"));
    }

    @Test
    public void testKeyResolverJku() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(3600, DEFAULT_ISSUER, DEFAULT_SUBJECT, ORG_RESOURCE_ID).withKid(true).build();
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        Assertions.assertTrue(((Exception) Assertions.assertThrows(AuthenticationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken(), new ClientContext());
        })).getMessage().contains("KeyConstraintException"));
    }

    @Test
    public void testNullSpireAgentEndpoint() {
        Assertions.assertTrue(((Exception) Assertions.assertThrows(NullPointerException.class, () -> {
            createCallbackHandler("AuthConfigSpireInvalid.yaml");
        })).getMessage().contains("spireAgentSocketEndpoint must be non null"));
    }

    @Test
    public void testKeyResolverSpireFailure() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(3600, "test.prefix.spire.internal.confluent.cloud", SPIRE_SUBJECT_1, ORG_RESOURCE_ID).withKid(true).build();
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("");
        Assertions.assertTrue(((Exception) Assertions.assertThrows(AuthenticationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken(), new ClientContext());
        })).getMessage().contains("UnresolvableKeyException"));
    }

    @Test
    public void testKeyResolverSpireSuccess() throws Exception {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer("test.prefix.spire.internal.confluent.cloud");
        jwtClaims.setAudience(MockJwtSource.VALID_AUD);
        jwtClaims.setSubject("spiffe://" + MockJwtSource.SPIRE_TRUST_DOMAIN_1 + "/test-workload-client");
        jwtClaims.setExpirationTimeMinutesInTheFuture(60.0f);
        jwtClaims.setIssuedAt(NumericDate.now());
        BearerCredential createEncodedJws = MockJwtSource.createEncodedJws(MockJwtSource.Kid.RSA_SPIRE_1, jwtClaims);
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("");
        Callback oAuthBearerValidatorCallback = new OAuthBearerValidatorCallback(createEncodedJws.bearerToken());
        createCallbackHandler.handle(new Callback[]{oAuthBearerValidatorCallback});
        Assertions.assertEquals(createEncodedJws.bearerToken(), oAuthBearerValidatorCallback.token().value());
        Assertions.assertNotNull(oAuthBearerValidatorCallback.token());
        Assertions.assertNull(oAuthBearerValidatorCallback.errorStatus());
    }

    @Test
    public void testKeyResolverJkuNoWhiteList() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(3600, DEFAULT_ISSUER, DEFAULT_SUBJECT, ORG_RESOURCE_ID).withKid(true).jku(DEFAULT_ISSUER).build();
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        Assertions.assertTrue(((Exception) Assertions.assertThrows(AuthenticationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken(), new ClientContext());
        })).getMessage().contains("KeyConstraintException"));
    }

    @Test
    public void testKeyResolverJkuEmptyWhiteList() throws Exception {
        this.jwsContainer = new OAuthUtils.Builder(3600, "Confluent1", DEFAULT_SUBJECT, ORG_RESOURCE_ID).withKid(true).jku("Confluent1").build();
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        Assertions.assertTrue(((Exception) Assertions.assertThrows(AuthenticationException.class, () -> {
            createCallbackHandler.processToken(this.jwsContainer.getJwsToken(), new ClientContext());
        })).getMessage().contains("KeyConstraintException"));
    }

    @Test
    public void testIdentityPoolExtensionValidation() throws Exception {
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        HashMap hashMap = new HashMap();
        hashMap.put("logicalCluster", ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put("identityPoolId", "identity_pool_1");
        HashMap hashMap2 = new HashMap();
        hashMap2.put(TokenInfo.ISS, "Google");
        hashMap2.put("sub", "User-1");
        Callback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(new OAuthBearerJwsToken("", new HashSet(ALLOWED_LOGICAL_CLUSTERS), 0L, "", 0L, hashMap2, "Google"), new SaslExtensions(hashMap));
        JwtTestUtils.updateIdentityPool(this.authCache, "identity_pool_1", 1, "Google", "google.com/jwks.json", "sub", "serviceAccount-1", "claims.iss == \"Google\"", "my-org2");
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifySuccessfulExtensionAuthorization(oAuthBearerExtensionsValidatorCallback, "serviceAccount-1", "User-1");
    }

    @Test
    public void testIdentityPoolExtensionValidationSubjectAsList() throws Exception {
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        HashMap hashMap = new HashMap();
        hashMap.put("logicalCluster", ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put("identityPoolId", "identity_pool_1");
        HashMap hashMap2 = new HashMap();
        hashMap2.put(TokenInfo.ISS, "Google");
        hashMap2.put("sub", Arrays.asList("a", "b"));
        Callback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(new OAuthBearerJwsToken("", new HashSet(ALLOWED_LOGICAL_CLUSTERS), 0L, "", 0L, hashMap2, "Google"), new SaslExtensions(hashMap));
        JwtTestUtils.updateIdentityPool(this.authCache, "identity_pool_1", 1, "Google", "google.com/jwks.json", "sub", "serviceAccount-1", "claims.sub==[\"a\", \"b\"]", "my-org2");
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifySuccessfulExtensionAuthorization(oAuthBearerExtensionsValidatorCallback, "serviceAccount-1", "[a, b]");
    }

    @Test
    public void testIdentityPoolExtensionValidationIssClaimFailure() throws Exception {
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        HashMap hashMap = new HashMap();
        hashMap.put("logicalCluster", ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put("identityPoolId", "identity_pool_1");
        HashMap hashMap2 = new HashMap();
        hashMap2.put(TokenInfo.ISS, "Google");
        Callback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(new OAuthBearerJwsToken("", new HashSet(ALLOWED_LOGICAL_CLUSTERS), 0L, "", 0L, hashMap2, "Google"), new SaslExtensions(hashMap));
        JwtTestUtils.updateIdentityPool(this.authCache, "identity_pool_1", 1, "Google", "google.com/jwks.json", "sub", "serviceAccount-1", "claims.iss == \"Amazon\"", "my-org2");
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifyFailedExtensionAuthorization(oAuthBearerExtensionsValidatorCallback);
    }

    @Test
    public void testIdentityPoolExtensionValidationOrgIdFailure() throws Exception {
        EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler = createCallbackHandler("AuthConfig.yaml");
        HashMap hashMap = new HashMap();
        hashMap.put("logicalCluster", ALLOWED_LOGICAL_CLUSTERS.get(0));
        hashMap.put("identityPoolId", "identity_pool_1");
        HashMap hashMap2 = new HashMap();
        hashMap2.put(TokenInfo.ISS, "Google");
        Callback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(new OAuthBearerJwsToken("", new HashSet(ALLOWED_LOGICAL_CLUSTERS), 0L, "", 0L, hashMap2, "Google"), new SaslExtensions(hashMap));
        JwtTestUtils.updateIdentityPool(this.authCache, "identity_pool_1", 1, "Google", "google.com/jwks.json", "User-1", "serviceAccount-1", "claims.iss == \"Google\"", "my-org3");
        createCallbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        verifyFailedExtensionAuthorization(oAuthBearerExtensionsValidatorCallback);
    }

    private void deleteLogicalClusterMetadata() {
        Mockito.when(this.metadata.metadata(Utils.LC_META_ABC.logicalClusterId())).thenReturn((Object) null);
    }

    private void verifySuccessfulAuthentication(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback) {
        Assertions.assertTrue(oAuthBearerExtensionsValidatorCallback.invalidExtensions().isEmpty());
        Assertions.assertTrue(oAuthBearerExtensionsValidatorCallback.errorMessage().isEmpty());
    }

    private void verifyFailedAuthenticationDueToSniHostNameNotMatched(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback) {
        Assertions.assertFalse(oAuthBearerExtensionsValidatorCallback.invalidExtensions().isEmpty());
        Assertions.assertNotNull(oAuthBearerExtensionsValidatorCallback.invalidExtensions().get("__confluent_sni_broker_host_name"));
        Assertions.assertFalse(oAuthBearerExtensionsValidatorCallback.errorMessage().isEmpty());
    }

    private void verifyFailedAuthenticationDueToLogicalClusterNotMatched(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback) {
        Assertions.assertFalse(oAuthBearerExtensionsValidatorCallback.invalidExtensions().isEmpty());
        Assertions.assertNotNull(oAuthBearerExtensionsValidatorCallback.invalidExtensions().get("logicalCluster"));
        Assertions.assertFalse(oAuthBearerExtensionsValidatorCallback.errorMessage().isEmpty());
    }

    private void verifySuccessfulExtensionAuthorization(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback, String str, String str2) {
        Assertions.assertTrue(oAuthBearerExtensionsValidatorCallback.invalidExtensions().isEmpty());
        Assertions.assertEquals(str, oAuthBearerExtensionsValidatorCallback.validatedExtensions().get("identityPoolId-sub"));
        Assertions.assertEquals(str2, oAuthBearerExtensionsValidatorCallback.validatedExtensions().get("identityPoolId-azp"));
        Assertions.assertTrue(oAuthBearerExtensionsValidatorCallback.errorMessage().isEmpty());
    }

    private void verifyFailedExtensionAuthorization(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback) {
        Assertions.assertFalse(oAuthBearerExtensionsValidatorCallback.invalidExtensions().isEmpty());
        Assertions.assertTrue(oAuthBearerExtensionsValidatorCallback.errorMessage().contains("do not match Identity Pool"));
    }

    private void createAuthStore() throws Exception {
        this.authStore = MockBasicAuthStore.create();
        this.authCache = this.authStore.trustCache();
    }

    private EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler(String str) {
        return createCallbackHandler(str, SniValidationMode.OPTIONAL_VALIDATION);
    }

    private EnhancedOAuthBearerValidatorCallbackHandler createCallbackHandler(String str, SniValidationMode sniValidationMode) {
        return createCallbackHandler(new EnhancedOAuthBearerValidatorCallbackHandler(), str, sniValidationMode);
    }

    private <T extends AuthenticateCallbackHandler> T createCallbackHandler(T t, String str, SniValidationMode sniValidationMode) {
        TestJaasConfig testJaasConfig = new TestJaasConfig();
        HashMap hashMap = new HashMap();
        hashMap.put("sni_host_name_validation_mode", sniValidationMode.getText());
        if (str.isEmpty()) {
            hashMap.put("authenticator.jwt.kind", "jwt");
            hashMap.put("authenticator.jwt.algorithmWhitelist.1", "RS256");
            hashMap.put("authenticator.jwt.spireAgentSocketEndpoint", "tcp://0.0.0.0:31523");
            hashMap.put("authenticator.jwt.issuers.1.name", "*");
            hashMap.put("authenticator.jwt.issuers.1.verifier", "io.confluent.security.auth.dataplane.JwtIssuerAuthCache");
            hashMap.put("authenticator.jwt.issuers.2.name", DEFAULT_ISSUER);
            hashMap.put("authenticator.jwt.issuers.2.verifier", "io.confluent.security.authentication.oauthbearer.JwtIssuerJku");
            hashMap.put("authenticator.jwt.issuers.3.name", "Confluent1");
            hashMap.put("authenticator.jwt.issuers.3.verifier", "io.confluent.security.authentication.oauthbearer.JwtIssuerJku");
            hashMap.put("authenticator.jwt.issuers.4.name", "https://vault.cireops.gcp.internal.confluent.cloud/v1/identity/oidc");
            hashMap.put("authenticator.jwt.issuers.4.verifier", "io.confluent.security.authentication.oauthbearer.JwtIssuerJwks");
            hashMap.put("authenticator.jwt.issuers.4.jwksUri", "https://vault.cireops.gcp.internal.confluent.cloud/v1/identity/oidc/.well-known/keys");
            hashMap.put("authenticator.jwt.issuers.4.audience.1", "C82RLLokthIFn4v4sDYKpJbksC");
            hashMap.put("authenticator.jwt.issuers.4.audience.2", "z2OPfk0pavN7Xj0UElTUaR1Xqt");
            hashMap.put("authenticator.jwt.issuers.5.name", "test.prefix.spire.internal.confluent.cloud");
            hashMap.put("authenticator.jwt.issuers.5.verifier", "io.confluent.security.authentication.oauthbearer.MockJwtIssuerSpire");
        } else {
            File file = null;
            try {
                URL url = (URL) Objects.requireNonNull(JarResourceLoader.loadFileFromResourceWithClassLoader(EnhancedOAuthBearerValidatorCallbackHandlerTest.class, str).toURI().toURL());
                file = TestUtils.tempFile();
                Files.copy(url.openStream(), Paths.get(file.getAbsolutePath(), new String[0]), StandardCopyOption.REPLACE_EXISTING);
            } catch (IOException e) {
                e.printStackTrace();
            }
            hashMap.put(JwtAuthenticatorConfig.JWT_AUTHENTICATOR_CONFIG_URL, file.getAbsolutePath());
        }
        testJaasConfig.createOrUpdateEntry("Kafka", OAuthBearerLoginModule.class.getCanonicalName(), hashMap);
        t.configure(this.configs, "OAUTHBEARER", Collections.singletonList(testJaasConfig.getAppConfigurationEntry("Kafka")[0]));
        return t;
    }
}
